2026-06-19 00:00
β BackThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on ThursdayurgedFortinet customers with FortiGate appliances to take steps to secure against ongoing malicious activity aimed at thousands of internet-accessible devices. The sweeping campaign, believed to be the work of Russian-speaking threat actors, has been codenamedFortiBleed. The number of compromised devices stands at 86,644 as of June 19, 2026. According to data from SOCRadar, generic admin accounts (35%) and built-in Fortinet system accounts (28.3%) together make up the majority of compromised credentials. Organization-specific accounts account for 36.7% of the remaining breached credentials. "This points directly to a widespread failure to rename default accounts or rotate factory credentials, giving the attacker a highly reliable target list before any brute force was even needed," SOCRadar said. "Org-specific accounts topping the list is significant.
It means the attacker is not just harvesting default credentials but has also successfully compromised accounts created by the organizations themselves, possibly sourced from prior breaches where passwords were never changed." Telecom, government, and education have emerged as the top three impacted sectors, with the most exposures located in India, the U.S., Mexico, Colombia, and Thailand. The threat actor is said to have mass-scanned the internet for Fortinet remote login endpoints, and then employed a bespoke tool to spray those identified endpoints...
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on ThursdayurgedFortinet customers with FortiGate appliances to take steps to secure against ongoing malicious activity aimed at thousands of internet-accessible devices. The sweeping campaign, believed to be the work of Russian-speaking threat actors, has been codenamedFortiBleed. The number of compromised devices stands at 86,644 as of June 19, 2026. According to data from SOCRadar, generic admin accounts (35%) and built-in Fortinet system accounts (28.3%) together make up the majority of compromised credentials. Organization-specific accounts account for 36.7% of the remaining breached credentials. "This points directly to a widespread failure to rename default accounts or rotate factory credentials, giving the attacker a highly reliable target list before any brute force was even needed," SOCRadar said. "Org-specific accounts topping the list is significant.
It means the attacker is not just harvesting default credentials but has also successfully compromised accounts created by the organizations themselves, possibly sourced from prior breaches where passwords were never changed." Telecom, government, and education have emerged as the top three impacted sectors, with the most exposures located in India, the U.S., Mexico, Colombia, and Thailand. The threat actor is said to have mass-scanned the internet for Fortinet remote login endpoints, and then employed a bespoke tool to spray those identified endpoints with known login and password combinations in an attempt to break into them. The fully-automated attack is built around a self-sustaining, two-step approach - The credentials are legitimate and valid, with the attackers verifying each of them before they are added to a database of confirmed, working logins. "The scale of this breach touches nearly every sector of the global economy, sparing no industry," Hudson Rocksaid. "The threat actors have built a verified database of working credentials for some of the largest enterprises on the planet." The U.K. National Cyber Security Centre (NCSC) hasdescribedFortiBleed as a global campaign targeting internet-facing Fortinet firewalls and VPN gateways using methods like brute-force, dictionary attack, and credential stuffing. It's suspected that the threat actors likely exploited older credential hashing mechanisms and the way credentials have historically been stored within FortiGate configuration files to pull off the large-scale attack. "Fortinet introduced PBKDF2-based password hashing for administrator credentials in FortiOS 7.2.11, 7.4.8, and 7.6.1, replacing the legacy SHA-256-based storage mechanism," Arctic Wolfsaid.
"However, when upgrading from earlier versions, existing administrator passwords remain stored as SHA-256 hashes until the corresponding administrator successfully logs in following the upgrade." "As a result, many organizations likely continue to store administrator credentials using older SHA-256 with Salt hashing mechanisms." In a statement shared with The Hacker News, a Fortinet spokesperson said "the data involved is likely a resharing of data from previous incidents, as well as brute-forcing of credentials, and not related to any current incident or advisory," urging organizations to follow best practices, including regularly rotating security credentials and enabling multi-factor authentication (MFA). CISA has outlined the following recommendations to defend against the activity - The FortiBleed incident first came to light last week after security researcher Volodymyr "Bob" Diachenko discovered a server containing the database of working login credentials for thousands of firewalls and VPN gateways across 194 countries. Per SOCRadar, the server also staged the attacker's tools and automation scripts. The findings once again demonstrate how credential reuse and poor password hygiene can be weaponized by malicious actors, not to mention that perimeter security appliances remain a lucrative target for gaining initial access to enterprise environments. In a post shared on June 19, 2026, Fortinetsaidthe FortiBleed campaign likely involves the threat actors reusing credentials from previous incidents, such asCVE-2026-24858,CVE-2025-59718, and CVE-2025-59719, along with employing brute-force techniques against devices with weak password hygiene and no multi-factor authentication (MFA). To defend against the malicious activity, the company has outlined the following recommendations - "If AD/LDAP integration is configured, it is important to treat this account as compromised and monitor your AD for its use for authentication elsewhere or the creation of additional accounts and monitor your network for lateral movement," Carl Windsor, chief information security officer (CISO) at Fortinet, said. Learn how to uncover hidden AI use, see what data it can access, map every AI action to a human owner, and apply practical governance without heavy infrastructure changes. Learn how to contain Mythos-style AI attacks with practical Zero Trust controls that reduce exposure, stop lateral movement, and limit risk.
Get the latest news, expert insights, exclusive resources, and strategies from industry leaders, all for free.