FortiBleed: A Sweeping Credential Heist Compromises 30K+ Fortinet Devices

A massive, self-sustaining credential harvesting operation is actively targeting organizations relying on Fortinet firewalls and VPN gateways. Dubbed “FortiBleed” by researchers at SOCRadar, this campaign isn’t a typical zero-day exploitation story. Instead, it serves as a stark reminder of the dangers of poor password hygiene and credential reuse on a global scale.

Here is everything you need to know about the FortiBleed heist and how to secure your perimeter.

The Scale of the Compromise: By the Numbers

The sheer volume of this campaign is alarming. Security consultant Volodymyr Diachenko first spotted evidence of the operation, which SOCRadar later analyzed after discovering an exposed operational server belonging to the attackers. This mistake by the threat actors gave researchers an unprecedented look into their automation infrastructure, tooling, and verified credential repository.

What they found was a massive victim database containing login credentials for exactly 30,791 devices across 194 countries. These aren’t random password guesses—they are verified, tested, and working usernames and passwords.

The blast radius includes:

  • 21,108 unique IP addresses and 8,316 unique domains.
  • Major Sectors: Telecommunications (over 5,600 compromised devices), government (591 devices across 111 domains), healthcare, education, financial services, and critical infrastructure.
  • Large Enterprises: More than 20% of the affected devices belong to enterprise organizations generating over $1 billion in annual revenue.
  • Global Footprint: While victims span the Americas, Europe, Asia, Africa, and the Middle East, the US and India alone account for nearly one-third of all identified compromises.

Who is Behind It?

Based on technical evidence and clues left on the exposed server, SOCRadar assesses that the threat actors are likely Russian-speaking. Their victim selection is heavily weighted toward NATO member countries. While financial gain is a likely motivator, cyber espionage is clearly a factor—researchers discovered compromised credentials tied to a defense industry VPN endpoint within the threat actor’s database.

No Exploits, No Zero-Days. Just Pure Credential Theft

The most notable aspect of FortiBleed is the attack vector. As Waseem Ahmed, head of engineering at Secure.com, pointed out, the name “FortiBleed” is slightly ironic because there is no actual software “bleed” or vulnerability being exploited.

Instead, the attackers rely entirely on credential stuffing, password spraying, and credential reuse. They target exposed Fortinet management and VPN interfaces using generic administrator accounts, default or built-in Fortinet system accounts, and old passwords leaked from previous breaches that administrators never rotated.

A “Self-Sustaining” Attack Model

The FortiBleed campaign is fully automated and designed to feed itself. Here is how the attack chain works:

  1. Attackers use automated tools to scan the internet around the clock for exposed Fortinet devices.
  2. They deploy credential stuffing and password spraying using old, leaked credentials to breach the device.
  3. Once inside, the attackers turn the compromised Fortinet device into a listening post.
  4. They monitor the network traffic passing through the device to scrape and harvest new
  5. Those freshly stolen passwords are fed right back into the automated scanner to compromise even more devices.

Immediate Mitigation Steps for Defenders

SOCRadar currently rates this ongoing threat as critical. Fortinet devices are ubiquitous, acting as the front door to countless enterprise networks, making them incredibly high-value targets.

SOCRadar’s advice is clear: If your organization is on this dataset, treat your network perimeter as already compromised. Even if you aren’t sure if you’ve been caught in the FortiBleed net, all organizations using Fortinet VPNs and firewalls should take the following immediate actions:

  • Rotate Credentials: Immediately change all administrative and VPN passwords.
  • Enforce MFA: Turn on Multi-Factor Authentication for all administrative and remote access accounts.
  • Hide Management Interfaces: Take management interfaces off the public internet wherever possible.
  • Audit Logs: Review your authentication and VPN logs closely for any signs of suspicious access.
  • Patch and Upgrade: Ensure your devices are updated to the most current firmware versions.
  • Initiate IR: If you suspect any unauthorized access, launch a full incident response investigation immediately.

Automation allows threat actors to weaponize poor password hygiene at an incredible scale. Ensure your perimeter defenses are locked down so your infrastructure doesn’t become another node in this harvesting operation.