Cyber threat actors successfully targeted and gained access to nearly 73,000+ internet-connected Fortinet VPN and firewall devices globally.
Security researchers Bob Diachenko confirmed that the leaked data is legitimate, highly organized, and actively weaponized. Alarmingly, this data dump represents roughly 50% of all internet-accessible Fortinet firewalls globally, exposing massive Fortune 500 enterprises, critical infrastructure, and even a NATO defense contractor.
“Massive Fortinet/FortiGate bruteforce/active exploitation campaign uncovered in action. Thousands of top vendors instances are listed in the files like this (see screenshot). This one alone has 21,634 domain names – from Chevron to Fortinet itself. All – with potentially working passwords to the FortiGate appliances obtained through various menas.
Crooks use sophisticated hashcracking approach to get then plaintext passwords from the Fortigate configs and use them consequently in the internal network movement and takeover.”
Key Points & Attack Mechanics
To understand why this happened, we have to look at the threat actor’s highly systematic workflow:
- Massive Brute-Force Infrastructure: The threat actors executed over 1.16 billion credential attempts against FortiGate targets and another 2.1 billion attempts against Microsoft SQL servers using automated botnets.
- The “Legacy Hash” Trap: In early 2025, Fortinet hardened its administrative credential storage by upgrading to a stronger hashing algorithm ($PBKDF2$). However, this upgrade only applied to accounts that actively logged in after the firmware update was installed. Millions of devices continued to store existing credentials using the older, weaker SHA-256 with Salt format.
- Offline Decryption: The attackers managed to extract these legacy configuration files and cracked the weaker cryptographic hashes offline using a massive, dedicated 45-GPU cluster managed via Hashtopolis.
- The Illusion of Password Complexity: The leaked database contains a high volume of incredibly long and complex enterprise passwords. Because the attackers successfully extracted and cracked the hashes to reveal plaintext, traditional “strong password rules” were completely neutralized.
Why is it called “FortiBleed”?
The name is a nod to how the data was gathered. The attackers systematically targeted network perimeters to “bleed” out internal device configuration files. While the exact method the hackers used to grab the initial files is still being investigated, it is highly suspected they either weaponized a chain of older, unpatched FortiOS vulnerabilities or discovered a new flaw to silently export configurations from devices that left their administrative management interfaces exposed to the public internet.
Protection & Remediation:
If your company utilizes internet-facing Fortinet gateways, patching the firmware alone is no longer sufficient because the threat actors already possess valid, working plaintext credentials. You must assume a state of potential compromise. Steps as follow:
- Immediate Perimeter LockdownForce a Global Password Reset: Immediately rotate all administrative and user passwords associated with Fortinet VPNs and gateway interfaces.
- Re-Hash Existing Credentials: Ensure all admins log out and log back in post-update to force the system to upgrade credential storage to the modern $PBKDF2$ format. Restrict Management Interfaces: Never expose the FortiGate Management Interface directly to the public internet. Restrict access to trusted, specific internal IP addresses or administrative jump boxes.
- Implement True MFA (Multi-Factor Authentication): Plaintext passwords mean nothing if an independent secondary token is required. Enforce strict, non-phishable multi-factor authentication (like hardware tokens or conditional-access push notifications) for every single inbound VPN connection.
- Forensic Threat Hunting: Review your gateway authentication logs looking backward for at least the last 60 days. Look specifically for:Successful logins occurring at unusual hours or from anomalous geographic locations.The creation of unauthorized local administrator accounts or sudden alterations to endpoint security policies.
Note: If unauthorized configuration changes or backdoor users are found, do not attempt to clean the device. Wipe it completely, restore from a verified clean backup, or replace the hardware.
Expert Takeaway:
FortiBleed is a reminder of a fundamental rule in cyber defense: Securing a system requires both updating the software and sanitizing the legacy data left behind. Relying entirely on complex passwords without MFA or network-level access control is a recipe for perimeter failure.
