CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 22, 2026

No Zero-Day Tied to 80,000 Harvested Fortinet Credentials

Data Breach Today Archived Jun 22, 2026 ✓ Full text saved

Researchers and Vendor Both Cite Previously Leaked Credentials, Brute-Force Attacks The FortiBleed campaign harvesting and selling working credentials for 80,000 Fortinet firewalls and SSL-VPN gateways doesn't appear to tie to a zero-day exploit, but rather attackers reusing leaked credentials or brute-forcing systems with weak password hygiene, the vendor and experts said.

Full text archived locally
✦ AI Summary · Claude Sonnet


    Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management No Zero-Day Tied to 80,000 Harvested Fortinet Credentials Researchers and Vendor Both Cite Previously Leaked Credentials, Brute-Force Attacks Mathew J. Schwartz (euroinfosec) • June 22, 2026     Credit Eligible Get Permission Image: Shutterstock/Fortinet/ISMG A hacker feeding frenzy over valid credentials for approximately 80,000 Fortinet firewalls and SSL-VPN gateways doesn't appear to have zero-day compromise as its roots cause. That's the conclusion of the security appliance maker as well as independent researchers tracking the so-called FortiBleed campaign. See Also: Cloud NGFW for Azure Cybersecurity firm SOCRadar, which first coined the "FortiBleed" moniker, gained access to the infrastructure being used by the Russian-speaking attackers and studied their tools, scripts and a database of compromised credentials. "Based on our analysis to date, this appears to be a credential compromise issue rather than a compromise of Fortinet products themselves," with attackers testing passwords revealed in previous compromises to see if they still work, the firm said (see: Crime Gang Sells Access to 74,000 Fortinet Firewall Devices). "FortiGate firewalls and FortiOS SSL-VPN gateways are the primary targets," and attackers' credential harvesting began in February and remains active, it warned. On Saturday, a threat actor with the handle "Anon-WMG" announced for sale on a darknet forum "[ FortiBleed ] FortiGate / Fortinet Access" for $25,000, said threat intelligence firm Kela. The listing claims that the data includes the URL, username, password, domain name plus revenue of the organization, tied to 35,000 Fortinet and FortiGate gateways across 194 countries. "The actor referenced the FortiBleed campaign in the post, indicating that the offered data may be linked to the previously disclosed activity," Kela told ISMG. Fortinet CISO Carl Windsor said these credentials appear to have been obtained using at least two different tactics, neither involving unpatched vulnerabilities. "Based on our initial analysis, we believe the activity involves threat actors reusing credentials from previous incidents," as well as brute-forcing passwords on devices with weak passwords, for which administrators have not enabled multifactor authentication, he said in a Friday blog post. For stealing credentials, Windsor said attackers appear to be favoring vulnerabilities Fortinet addressed with patches issued five and six months ago. One target is a single sign-on login authentication bypass vulnerability patched last December, assigned CVE-2025-59718 and CVE-2025-59719. The other target is CVE-2026-24858, an authentication bypass vulnerability Fortinet patched in January (see: Fortinet Locks Down FortiCloud SSO Amid Zero-Day Attacks). SOCRadar said that after attackers gain access to Fortinet devices, they're installing a Golang-based credential-harvesting tool called FortigateSniffer that uses legitimate device commands to harvest traffic being handled by the firewalls. "Once deployed, these sniffers capture cleartext and hashed credentials from traffic passing through compromised devices. The actors then crack, validate and reuse the credentials against Active Directory domains and other exposed services," it said. The FortiGate-targeting campaign came to light on June 12, when veteran cybersecurity researcher Volodymyr "Bob" Diachenko spotted it when reviewing threat intelligence data gathered by Hunt Intelligence. Threat intelligence firm Hudson Rock obtained a copy of the stolen data, stating Friday that it contained credentials tied to 74,000 firewall URLs across 194 countries, affecting 21,453 different domains. The firm said it "distributed localized data" to various national computer emergency response teams, and noted that "their rapid mobilization to notify and protect entities within their jurisdictions has been nothing short of impressive." Hudson Rock set up a free portal that organizations can use to see if their Fortinet devices are contained in the data dump, and both Britain's National Cyber Security Center and the Israel National Cyber Directorate have recommended it as a resource for potential victims. "Following confirmation of impact, organizations can reach out directly through the tool to receive a full ethical disclosure regarding their exposure," Hudson Rock said, noting that as of Friday, it provided such details to 2,732 victim organizations and counting. By Sunday, SOCRadar said attackers' database of stolen information contained more than 86,644 confirmed working login credentials for corporate firewalls and VPN gateways across 194 countries, with the victim list including a heavy concentration of NATO member states. The greatest number of entries tie to organizations in India, followed by the United States, as visualized by non-profit cybersecurity organization Shadowserver Foundation. "These are not random guesses. These are verified, working usernames and passwords, tested and confirmed by the attackers themselves using automated tools running around the clock," SOCRadar said. The firm is also offering a free FortiBleed Check tool and on Monday reported that "new compromised devices" continue to be added by the attackers, which it said appears to be an initial access broker. Kela said the same threat actor advertising the 35,000 Fortinet credentials, "Anon-WMG," previously offered on darknet forums initial access to a number of firms. On May 7, this included a listing for access to a healthcare and life sciences sector organization in the United Arab Emirates with $10 million in revenue, followed by a May 24 listing for access to a U.S. technology firm with $1.6 billion in revenue, for $10,000, with the same price listed for a June 7 advertisement for access to an Israel-based telecommunications firm with $2.6 billion in revenue. Whether any of these "accesses" resulted from the Fortinet device-targeting campaign isn't clear. Fortinet said it's contacting all customers with potentially affected systems to assist. The company issued a set of recommendations for any organization using an affected device, including terminating all admin and VPN sessions and resetting credentials, ensuring multifactor authentication is active for admin as well as VPN accounts, reviewing logs for signs of unusual activity and unauthorized configuration changes. The vendor also advised all organizations to ensure their devices are running FortiOS versions 7.4, 7.6 or 8.0, which ditch legacy SHA256 in favor of Password-Based Key Derivation Function 2. One caveat, which Fortinet has continued to emphasize, is that after upgrading any device's firmware to a version that uses PBKDF2 hashing, admins must actively remove the SHA256 passwords. That's important because if attackers obtain lists of previously leaked passwords, the legacy SHA256 passwords may still work. Likewise, if attackerscan obtain configuration files from Fortinet appliances, they can relatively easily crack the SHA256 hashes offline, allowing them to recover admin credentials as plaintext.
    💬 Team Notes
    Article Info
    Source
    Data Breach Today
    Category
    ◇ Industry News & Leadership
    Published
    Jun 22, 2026
    Archived
    Jun 22, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗