CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 17, 2026

FortiBleed – 70,000+ Fortinet Firewalls Compromised in Massive Exploitation Attack

Cybersecurity News Archived Jun 17, 2026 ✓ Full text saved

An exhaustive cyber espionage campaign now dubbed “FortiBleed” has silently compromised over 73,932 unique Fortinet firewall URLs across 194 countries. Originally uncovered by security researcher Volodymyr “Bob” Diachenko and subsequently analyzed by Hudson Rock, this dataset reveals a highly automated, industrial-scale operation targeting FortiGate devices and SSL VPN gateways on an unprecedented global scale. Threat actors executed an […] The post FortiBleed – 70,000+ Fortinet Firewalls Compro

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security FortiBleed – 70,000+ Fortinet Firewalls Compromised in Massive Exploitation Attack By Guru Baran June 17, 2026 An exhaustive cyber espionage campaign now dubbed “FortiBleed” has silently compromised over 73,932 unique Fortinet firewall URLs across 194 countries. Originally uncovered by security researcher Volodymyr “Bob” Diachenko and subsequently analyzed by Hudson Rock, this dataset reveals a highly automated, industrial-scale operation targeting FortiGate devices and SSL VPN gateways on an unprecedented global scale. Fortinet credentials Exposed (Source: Diachenko) Threat actors executed an estimated 1.16 billion credential-based attempts against over 320,000 FortiGate targets, while simultaneously launching an additional 2.1 billion brute-force attempts against more than 160,000 MSSQL servers, resulting in 21,632 unique compromised domains. This campaign is attributed to a multi-operator, Russian-speaking cybercriminal group whose methodology goes well beyond simple credential stuffing. The group systematically swept the internet for exposed Fortinet instances, testing them against vast repositories of historical credential leaks harvested by infostealer malware. Once an initial foothold is established, attackers pivot directly into internal Active Directory environments, enabling deep, persistent network access that survives routine security checks. One of the campaign’s most alarming technical vectors is the active interception of SSL VPN authentication hashes, which are subsequently cracked offline using a dedicated 45-GPU cluster managed via Hashtopolis. This means even organizations that believe their encrypted credentials are safe are actively exposed. Once the perimeter is breached, operators monitor traversing traffic to harvest additional logins, creating a self-reinforcing cycle of unauthorized access. The scope of confirmed victims touches virtually every sector of the global economy. Diachenko’s research confirmed full network compromises at organizations across Japan, Taiwan, Vietnam, Iraq, and Turkey, most critically, including a Turkish NATO defense contractor from which classified defense documents were successfully exfiltrated. The attackers’ verified credential database includes some of the largest enterprises on the planet: Technology & Manufacturing: Foxconn, Samsung, Siemens, Lenovo, Oracle Professional Services: PwC, Accenture Telecommunications: Comcast and thousands of government entities and critical infrastructure providers Perhaps the most sobering takeaway from this dataset is that password complexity offered zero protection. A significant volume of highly complex, 20-character passwords was successfully compromised not by cracking them from scratch, but because they already existed in plaintext within previously harvested infostealer databases. Strong Password Example (Source: Hudson Rock ) When credentials are stolen at the endpoint level before encryption is applied, no amount of complexity saves them. This fundamentally undermines the “strong password” policy as a perimeter defense strategy. Hudson Rock launched a specialized online portal designed specifically for organizations to easily verify whether their domains are included in the database. Mitigation Steps Organizations running Fortinet devices must treat this as a critical, active threat and act immediately: Force Credential Rotation: Reset all Fortinet VPN and admin interface passwords without delay; complexity is irrelevant if credentials have already leaked. Enforce Universal MFA: Apply Multi-Factor Authentication across all external gateways to neutralize stolen plaintext credentials. Audit Gateway Logs: Review Fortinet access logs for anomalous login locations, unexpected admin sessions, or unusual traffic volumes. Restrict Management Interface Exposure: Apply local-in policies to restrict admin panel access to trusted internal IPs only, and disable FortiCloud SSO if not essential. The FortiBleed campaign is a stark reminder that perimeter security is only as strong as the credentials protecting it, and in a world saturated with infostealer-harvested data, the perimeter has never been more fragile. CISO & Security Leaders: Your next breach may not have a face. Join ISC2’s LIVE webinar, “Ghost in the Machine” – Book Your Spot Here Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Hackers Use BLUERABBIT Backdoor to Encrypt Files and Wipe Disks Across Windows Systems The Half-Life of Threat Intelligence: When Does an IOC Stop Being Useful?  UNC3753 Uses Screen-Sharing Sessions and RMM Tools to Exfiltrate Sensitive Legal Data Splunk Enterprise Pre-Auth RCE Chain Exposes Database With Zero Authentication Ivanti Command Injection Vulnerability Exploited in Attacks Following PoC Release Latest News Cyber Security News FishMonger Hackers Expands SprySOCKS Backdoor From Linux to Windows With Advanced Stealth Features Cyber Security News ErrTraffic MaaS Uses Fake reCAPTCHA and Cloudflare Turnstile Lures to Execute PowerShell Commands Cyber Security News Multiple JetBrains IDE Plugins 70,000+ Installs Caught Stealing AI keys Cyber Security News CISA Warns of Oracle PeopleSoft 0-Day Vulnerability Exploited in Ransomware Attacks Cyber Security News Fortra Access Manager Vulnerability Enables Remote Command Injection Attacks
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 17, 2026
    Archived
    Jun 17, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗