Bottom line: Attackers have collected approximately 75,000 administrator passwords from Fortinet firewalls globally, easily cracked them using outdated hashing methods, and now have persistent access to affected corporate networks.
A large-scale campaign named “FortiBleed” has exposed administrator passwords from approximately 75,000 internet-facing Fortinet FortiGate firewalls worldwide. Affected environments are thus exposed to remote access and persistent attacks.
Security researchers have documented a systematic campaign to collect administrator passwords from Fortinet devices. The campaign was initially reported by security researcher Volodymyr Diachenko on LinkedIn, who identified a list of functional FortiGate passwords managed by attackers. SOCRadar independently confirmed the findings by discovering an active server operated by an unknown actor that contained not only the password list but also configuration files, automation tools, and a victim list.
Following analysis by SOCRadar, Hudson Rock, and Kevin Beaumont, the attackers proceeded systematically: they extracted configuration files from internet-facing FortiGate firewalls and recovered administrator passwords from them. The initial access method remains unknown. Researchers suspect that passwords were collected over time through exploitation of multiple vulnerabilities in external Fortinet applications. The operational approach and tooling suggest Russian-speaking threat actors, though attribution is ongoing. Affected devices are distributed across 194 countries, with concentration in India (over 4,000), the United States, and Mexico. The campaign is highly automated, enabling attackers to collect, process, and crack credentials at scale.
The potential impact is significant: with valid administrator passwords, attackers can remotely log in to the firewall device, immediately access the underlying network, modify security settings, and create backdoor user accounts. Beaumont warned: “The inconvenient reality is that modern exploitation is not always about immediate damage. It is about collecting data that remains valuable long after the underlying vulnerability is patched.”
One reason for the high crack success rates is the use of outdated password hashing methods. Many affected systems use SHA-256-based hashing, which is significantly more susceptible to offline password attacks than newer mechanisms. Fortinet introduced PBKDF2-based hashing in FortiOS 7.2.11, 7.4.8, and 7.6.1. However, during upgrades, older administrator passwords remain stored as SHA-256 hashes until the administrator logs in after the upgrade. This means many organizations continue to use older hashing methods.
Source: www.csoonline.com · Published June 18, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrasing and classification through Lumi News Pipeline v1.7.1.