Summary
In mid-June 2026, security researchers identified an active, large-scale credential compromise campaign affecting Fortinet FortiGate firewalls, dubbed FortiBleed. Threat actors have been systematically extracting configuration files from internet-facing FortiGate devices and cracking the stored credential hashes, resulting in verified working administrator credentials for between 30,000 and 75,000 devices across 194 countries.
SOCRadar‘s research identified operational infrastructure belonging to the threat group, including databases of validated credentials organized by country, sector, and organization revenue. The dataset contains confirmed working login credentials for over 30,791 devices. Beaumont‘s analysis, conducted in collaboration with Hudson Rock, estimates approximately 75,000 devices affected, representing roughly 50% of all internet-facing Fortinet firewalls based on Shodan data.
The campaign’s effectiveness likely stems from the way credentials have historically been stored within FortiGate configuration files. Fortinet introduced PBKDF2-based password hashing for administrator credentials in FortiOS 7.2.11, 7.4.8, and 7.6.1, replacing the legacy SHA-256-based storage mechanism. However, when upgrading from earlier versions, existing administrator passwords remain stored as SHA-256 hashes until the corresponding administrator successfully logs in following the upgrade. As a result, many organizations likely continue to store administrator credentials using older SHA-256 with Salt hashing mechanisms.
Recommendations
Rotate Credentials and Enable Multi-Factor Authentication
Organizations using Fortinet firewalls or SSL VPN gateways should immediately reset administrative and VPN credentials, particularly for devices that are exposed to the internet or may have been impacted by previous compromises. Multi-factor authentication (MFA) should be enforced on all administrative and remote access accounts to reduce the effectiveness of compromised credentials and prevent unauthorized access through password reuse.
Limit Access to Management Interfaces on the Public Internet
For all firewall devices, Arctic Wolf strongly recommends restricting firewall management interface access to trusted internal networks as a security best practice across all firewall configurations, regardless of vendor. For Fortinet FortiGate firewall devices, see the following documentation for an outline of security hardening best practices: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/582009/system-administrator-best-practices
Enforce PBKDF2 Hashing for all Administrator Accounts
After upgrading FortiOS, require all administrators to log in to the firewall at least once: this will automatically set the encryption to PBKDF2. If not feasible, manually update the password of remaining administrators by using a super_admin account.
Note: According to Fortinet, the previous SHA256 hashes remain stored in the hidden ‘old-password’ setting after the password setting is updated to a PBKDF2 hash for backward compatibility. The ‘old-password’ setting is not visible to administrators logged in to the firewall, but can be observed in a configuration backup taken by a super_admin. In FortiOS v7.2.x and v7.4.x, to fully remove SHA-256 hashes stored in old-password, enable the ‘login-lockout-upon-weaker-encryption’ setting in system password-policy.
References
- https://socradar.io/blog/fortibleed-fortinet-firewalls-compromised/
- https://www.hudsonrock.com/blog/fortibleed-75000-fortinet-firewalls-compromised-global-enterprises-exposed-claim-your-ethical-disclosure
- https://doublepulsar.com/fortibleed-75k-fortinet-firewalls-have-admin-passwords-cracked-60299faa65f8
- https://www.linkedin.com/feed/update/urn:li:activity:7471222472193830913/
