Dark ReadingArchived Jun 17, 2026✓ Full text saved
Attackers are actively targeting various sectors across nearly 200 countries and already have compiled a list of working credentials for tens of thousands of compromised devices.
Full text archived locally
✦ AI Summary· Claude Sonnet
CYBERATTACKS & DATA BREACHES
CYBERSECURITY OPERATIONS
PERIMETER
THREAT INTELLIGENCE
NEWS
Sweeping Credential-Harvesting Heist Compromises 30K+ Fortinet Devices
Attackers are actively targeting various sectors across nearly 200 countries and already have compiled a list of working credentials for tens of thousands of compromised devices.
Elizabeth Montalbano,Contributing Writer
June 17, 2026
4 Min Read
SOURCE: LUTSENKO OLEKSANDR VIA SHUTTERSTOCK
A large-scale credential harvesting operation is actively targeting Fortinet firewalls and VPN gateways, and has already compromised more than 30,000 Internet-facing devices across nearly 200 countries.
Evidence of the credential harvesting was first spotted by security consultant Volodymyr Diachenko. Researchers from SOCRadar uncovered the campaign, which they dubbed "FortiBleed," when they found an exposed operational server belonging to attackers, which are suspected Russian-speaking threat actors. This gave them visibility into the group's tooling, victim database, automation infrastructure, and verified credential repository, according to a report published Tuesday.
"The attacker's database contains login credentials for more than 30,791 devices belonging to companies and government organizations across 194 countries," according to the report. "These are not random guesses. These are verified, working usernames and passwords, tested and confirmed by the attackers themselves using automated tools running around the clock."
Related:Fileless Phantom Stealer Targets Browser Credentials
No Fortinet Flaws, Just Pure Credential Theft
SOCRadar emphasized that they did not find any evidence of exploited Fortinet flaws in the operation and are considering it strictly as a credential-compromise campaign, one that should be taken seriously, according to the report.
"The most striking thing about the FortiBleed breach is what's missing from it," Waseem Ahmed, head of engineering at Secure.com, tells Dark Reading. "There's no zero-day, no exploit, no actual 'bleed.' Despite the name, this isn't a vulnerability but a pile of credentials leaked in earlier Fortinet breaches, fired back at organizations that never bothered to change them."
Indeed, SOCRadar's analysis found that the firewalls and VPNs compromised often had security weaknesses in the targeted network infrastructure. Many were either generic administrator accounts, default or built-in Fortinet system accounts, or long-lived accounts with passwords that had never been rotated after previous breaches, the researchers said.
Various Sectors Affected by FortiBleed
The compromised devices so far comprise 21,108 unique IP addresses and 8,316 unique domains across government, telecommunications, healthcare, education, financial services, and critical infrastructure sectors, the researchers found. Among those, telecommunications accounted for over 5,600 compromised devices, while government organizations represented 591 across 111 domains.
Enterprise organizations generating more than $1 billion in annual revenue comprised more than 20% of affected devices, while India and the US reportedly accounted for nearly one-third of all identified credential comprises. Affected organizations were also found across Asia, Europe, the Americas, Africa, and the Middle East.
Related:'Lorem Ipsum' Malware Pivots to ClickFix Delivery
Given that the attack remains active and "Fortinet firewalls and VPN gateways are among the most widely deployed network security devices in the world," the ongoing threat is rated as "critical" and demands an immediate response from affected organizations, SOCRadar noted in the report. Indeed, these devices are often in the crosshairs of attackers, given their ubiquity and the entry into networks that they can provide.
"If your organization uses a Fortinet firewall or VPN product and appears in this dataset, treat your network perimeter as already compromised and act immediately," said SOCRadar.
A Self-Sustaining Compromise Model
The operation is built around a self-sustaining, fully automated attack chain in which attackers scan the Internet for Fortinet devices and then employ credential reuse, credential stuffing, and password spraying against exposed Fortinet management and VPN interfaces. As part of this, attackers used previously leaked Fortinet credentials and continuously validated successful logins through this automated scanning infrastructure, SOCRadar said.
Related:The Beginning of the End of Social Engineering
Once a device is compromised, attackers "use it as a listening post, monitoring traffic passing through and collecting any additional credentials that flow by," according to the report. The freshly collected passwords are then fed back into the scanner to compromise even more devices.
"The system feeds itself," the report stated.
Though the operation seems highly professional, the attackers did make a significant mistake in leaving a server exposed that "revealed far more about them than they intended," including clues to their identities and motives, the vendor said.
SOCRadar also said technical evidence points to Russian-speaking threat actors and noted that the victim selection was "heavily weighted toward organizations in NATO member countries." These attackers also appear to be motivated not only by financial gain but also potential cyber espionage, as credentials for what appears to be a defense industry VPN endpoint were among the recovered data, according to the post.
Immediate Mitigation Steps for FortiBleed
The campaign demonstrates the scale at which attackers can successfully weaponize credential reuse and poor password hygiene, especially when they use automation as a core part of their attack strategy. The lesson here for defenders, then, is that perimeter security appliances, especially those from Fortinet, remain high-value targets, and must be secured with more care and attention.
As mentioned, any organization using Fortinet firewalls or VPNs should take immediate action to secure these assets, including the immediate rotation of all administrative and VPN credentials. They also should enable multifactor authentication on all remote access and administrative accounts, according to SOCRadar.
Additionally, security teams should review of all authentication and VPN logs for suspicious access; remove management interfaces from the public Internet where possible; upgrade devices to all current firmware versions; and conduct the appropriate incident response investigation if a compromise is found or suspected.
About the Author
Elizabeth Montalbano
Contributing Writer
Elizabeth Montalbano is freelance writer, editor, and journalist with 30 years of professional experience and a master's degree from Arizona State University. Her areas of expertise include enterprise technology, cybersecurity, business, and culture. During her long career, Elizabeth has lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City. She specializes in news coverage and analysis, using her years of experience to look at the current state of cybersecurity with a critical gaze. She currently resides in a village on the southwest coast of Portugal, where in her free time she enjoys surfing, hiking with her dogs, growing plants, and playing and performing as a singer and musician.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
Advanced Persistent Threats: A Practical Guide to Detection and Response
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
Defending in the Shadow Era: When the CVE Feed Goes Dark
Building SecOps That Make the Most of Every Dollar
More Webinars
You May Also Like
CYBERATTACKS & DATA BREACHES
Critical Fortinet Flaws Under Active Attack
by Jai Vijayan, Contributing Writer
DEC 17, 2025
CYBERATTACKS & DATA BREACHES
CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks
by Rob Wright
DEC 04, 2025
CYBERATTACKS & DATA BREACHES
F5 BIG-IP Environment Breached by Nation-State Actor
by Alexander Culafi
OCT 15, 2025
CYBERATTACKS & DATA BREACHES
Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business
by Robert Lemos, Contributing Writer
OCT 03, 2025
Editor's Choice
CYBERSECURITY OPERATIONS
20 Leaders Who Built the CISO Era: 2 Decades of Change
byDark Reading Editorial Team
MAY 12, 2026
41 MIN READ
APPLICATION SECURITY
It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight
byJai Vijayan
MAY 12, 2026
5 MIN READ
CYBERATTACKS & DATA BREACHES
Instructure Breach Exposes Schools' Vendor Dependence
byAlexander Culafi
MAY 6, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS
The premier cybersecurity event returns.
GET YOUR PASS
ANATOMY OF A DATA BREACH
This comprehensive virtual event examines the main vulnerabilities and exploits that lead to enterprise data breaches, plus the latest tools and best practices for conducting incident response.
BEAT HACKERS TO IT