CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 22, 2026

FortiBleed – Fortinet Warns of Active Credential Harvesting Campaign Targeting FortiGate Devices

Cybersecurity News Archived Jun 22, 2026 ✓ Full text saved

Fortinet has issued an urgent security advisory warning customers of an ongoing credential-harvesting campaign targeting FortiGate appliances, dubbed “FortiBleed” by threat researchers. According to the company’s analysis shared by Carl Windsor, the activity does not stem from a new vulnerability but rather exploits previously disclosed security gaps combined with poor password hygiene and absent multi-factor […] The post FortiBleed – Fortinet Warns of Active Credential Harvesting Campaign Targe

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News FortiBleed – Fortinet Warns of Active Credential Harvesting Campaign Targeting FortiGate Devices By Guru Baran June 22, 2026 Fortinet has issued an urgent security advisory warning customers of an ongoing credential-harvesting campaign targeting FortiGate appliances, dubbed “FortiBleed” by threat researchers. According to the company’s analysis shared by Carl Windsor, the activity does not stem from a new vulnerability but rather exploits previously disclosed security gaps combined with poor password hygiene and absent multi-factor authentication (MFA). “FortiBleed” reportedly impacts up to 86,000 internet-facing FortiGate firewalls and VPN appliances across 194 countries, making it one of the most significant Fortinet security incidents to date. FortiBleed is not a zero-day. Fortinet’s investigation indicates threat actors are recycling credentials from two previously documented incidents — tracked as FG-IR-26-060 and FG-IR-25-647 and pairing them with AI-accelerated brute-force techniques against internet-exposed FortiGate devices that lack strong credential controls. Fortinet noted that this campaign is unrelated to any recent vulnerability disclosure, stressing that customers who completed remediation steps from the earlier advisories should not be affected. The company confirmed it has proactively identified potentially compromised systems and is contacting impacted customers directly, while also coordinating with relevant government agencies. The primary attack vector involves weak or reused administrative and VPN credentials on internet-facing FortiGate appliances, amplified by the absence of MFA. Once threat actors gain access, observed post-exploitation behavior includes unauthorized configuration changes, creation of rogue accounts (flagged examples include usernames such as “forticloud,” “fortiuser,” “fortinet-support,” and “fortinet-tech-support”), and potential lateral movement into internal networks, particularly through Active Directory or LDAP-integrated environments. CISA has issued an urgent advisory warning organizations to secure their Fortinet devices following reports of a large-scale credential exposure campaign Immediate Remediation Steps Fortinet is urging all FortiGate customers to take the following actions without delay: Terminate all admin and VPN sessions and immediately reset all Fortinet VPN and administrative credentials, particularly on internet-facing systems Enforce MFA across all administrator and VPN user accounts Upgrade FortiOS to versions 7.4, 7.6, or 8.0, which support PBKDF2 hashing for administrator credentials; remove legacy password settings using set login-lockout-upon-weaker-encryption Audit configurations against a known-good baseline, paying close attention to unauthorized account additions or policy changes Review logs for unexpected administrative access from unknown IPs and monitor domain controller logs for signs of lateral movement or suspicious account activity Restrict management access by limiting it to trusted hosts, applying local-in policies, or removing internet-facing administration entirely Organizations that discover unauthorized configuration changes, unrecognized VPN users, or unexpected password resets should treat their devices as fully compromised. Fortinet recommends following its published incident recovery guidance and, if AD/LDAP integration is in place, treating those accounts as compromised and monitoring the directory for anomalous authentication or new account creation. For organizations suspecting internal network compromise, Fortinet’s FortiGuard Incident Response team is available for scoping engagements. The campaign’s reliance on previously exposed credentials rather than novel exploits highlights the critical importance of completing vendor-issued remediation steps promptly and enforcing consistent MFA and strong password policies across all administrative interfaces. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Evilginx AiTM Attack Captures Microsoft Credentials, MFA Tokens, and Authenticated Sessions China-Nexus Hackers Use Backdoored PAM Modules for Credential Theft and Authentication Bypass Splunk AI Toolkit Vulnerability Enables Arbitrary OS Command Execution Attacks Rust Clipboard Hijacker Uses Fake GitHub Stars and VirusTotal Upvotes to Steal Crypto Palo Alto Warns of GlobalProtect VPN Vulnerability Actively Exploited in the Wild Latest News Cyber Security CyberSentinel AI with 33 Security Tools, Including Nmap, SQLMap, ZAP, and uses Claude, GPT Cyber Security AutoJack – A Single Web Page Can Hijack Your AI Agent to Execute Malicious Code Cyber Security News CISA Adds LiteSpeed cPanel Plugin Vulnerability to KEV List Following Active Exploitation Chrome Chrome Extensions’ Critical Flaws Let Attackers Easily Compromise Millions of Browsers Press Release Gcore Helps Ucom Safeguard Public Live Broadcast Infrastructure During Armenia’s Parliamentary Elections
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 22, 2026
    Archived
    Jun 22, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗