FortiBleed – Fortinet Warns of Active Credential Harvesting Campaign Targeting FortiGate Devices
Cybersecurity NewsArchived Jun 22, 2026✓ Full text saved
Fortinet has issued an urgent security advisory warning customers of an ongoing credential-harvesting campaign targeting FortiGate appliances, dubbed “FortiBleed” by threat researchers. According to the company’s analysis shared by Carl Windsor, the activity does not stem from a new vulnerability but rather exploits previously disclosed security gaps combined with poor password hygiene and absent multi-factor […] The post FortiBleed – Fortinet Warns of Active Credential Harvesting Campaign Targe
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
FortiBleed – Fortinet Warns of Active Credential Harvesting Campaign Targeting FortiGate Devices
By Guru Baran
June 22, 2026
Fortinet has issued an urgent security advisory warning customers of an ongoing credential-harvesting campaign targeting FortiGate appliances, dubbed “FortiBleed” by threat researchers.
According to the company’s analysis shared by Carl Windsor, the activity does not stem from a new vulnerability but rather exploits previously disclosed security gaps combined with poor password hygiene and absent multi-factor authentication (MFA).
“FortiBleed” reportedly impacts up to 86,000 internet-facing FortiGate firewalls and VPN appliances across 194 countries, making it one of the most significant Fortinet security incidents to date.
FortiBleed is not a zero-day. Fortinet’s investigation indicates threat actors are recycling credentials from two previously documented incidents — tracked as FG-IR-26-060 and FG-IR-25-647 and pairing them with AI-accelerated brute-force techniques against internet-exposed FortiGate devices that lack strong credential controls.
Fortinet noted that this campaign is unrelated to any recent vulnerability disclosure, stressing that customers who completed remediation steps from the earlier advisories should not be affected.
The company confirmed it has proactively identified potentially compromised systems and is contacting impacted customers directly, while also coordinating with relevant government agencies.
The primary attack vector involves weak or reused administrative and VPN credentials on internet-facing FortiGate appliances, amplified by the absence of MFA.
Once threat actors gain access, observed post-exploitation behavior includes unauthorized configuration changes, creation of rogue accounts (flagged examples include usernames such as “forticloud,” “fortiuser,” “fortinet-support,” and “fortinet-tech-support”), and potential lateral movement into internal networks, particularly through Active Directory or LDAP-integrated environments.
CISA has issued an urgent advisory warning organizations to secure their Fortinet devices following reports of a large-scale credential exposure campaign
Immediate Remediation Steps
Fortinet is urging all FortiGate customers to take the following actions without delay:
Terminate all admin and VPN sessions and immediately reset all Fortinet VPN and administrative credentials, particularly on internet-facing systems
Enforce MFA across all administrator and VPN user accounts
Upgrade FortiOS to versions 7.4, 7.6, or 8.0, which support PBKDF2 hashing for administrator credentials; remove legacy password settings using set login-lockout-upon-weaker-encryption
Audit configurations against a known-good baseline, paying close attention to unauthorized account additions or policy changes
Review logs for unexpected administrative access from unknown IPs and monitor domain controller logs for signs of lateral movement or suspicious account activity
Restrict management access by limiting it to trusted hosts, applying local-in policies, or removing internet-facing administration entirely
Organizations that discover unauthorized configuration changes, unrecognized VPN users, or unexpected password resets should treat their devices as fully compromised.
Fortinet recommends following its published incident recovery guidance and, if AD/LDAP integration is in place, treating those accounts as compromised and monitoring the directory for anomalous authentication or new account creation.
For organizations suspecting internal network compromise, Fortinet’s FortiGuard Incident Response team is available for scoping engagements.
The campaign’s reliance on previously exposed credentials rather than novel exploits highlights the critical importance of completing vendor-issued remediation steps promptly and enforcing consistent MFA and strong password policies across all administrative interfaces.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
Evilginx AiTM Attack Captures Microsoft Credentials, MFA Tokens, and Authenticated Sessions
China-Nexus Hackers Use Backdoored PAM Modules for Credential Theft and Authentication Bypass
Splunk AI Toolkit Vulnerability Enables Arbitrary OS Command Execution Attacks
Rust Clipboard Hijacker Uses Fake GitHub Stars and VirusTotal Upvotes to Steal Crypto
Palo Alto Warns of GlobalProtect VPN Vulnerability Actively Exploited in the Wild
Latest News
Cyber Security
CyberSentinel AI with 33 Security Tools, Including Nmap, SQLMap, ZAP, and uses Claude, GPT
Cyber Security
AutoJack – A Single Web Page Can Hijack Your AI Agent to Execute Malicious Code
Cyber Security News
CISA Adds LiteSpeed cPanel Plugin Vulnerability to KEV List Following Active Exploitation
Chrome
Chrome Extensions’ Critical Flaws Let Attackers Easily Compromise Millions of Browsers
Press Release
Gcore Helps Ucom Safeguard Public Live Broadcast Infrastructure During Armenia’s Parliamentary Elections