FortiBleed – the Full Story!

This article is being updated regularly with the latest information. Visit us again for the latest news!
Last Update: 26.06.2026

The headlines have been relentless over the past few days: A massive dataset containing valid admin credentials for an estimated 75’000 internet-facing Fortinet FortiGate firewalls worldwide is currently circulating under the name FortiBleed. Our IT security specialists at BOLL have analyzed the situation for you. This is the current status – without the fearmongering, but with clear, actionable advice.

What We Know So Far

First and foremost: FortiBleed is not based on a new vulnerability (there is no new CVE). Rather, it is a highly automated, industrial-scale credential harvesting campaign. Attackers bundled credentials from previous data breaches and recent infostealer logs, systematically testing them against internet-facing accessible management interfaces.

  • Massive Scale: Attackers executed a large amount of login attempts against several hundred thousand devices.
  • Widespread Impact: Countless internet-facing FortiGate systems are affected. This encompasses nearly 75,000 devices across 194 countries. German, Austrian and Swiss clients are also beneath the affected parties.
  • Complexity Was Not Enough: Even 25-character passwords were compromised. If info stealer malware extracts a password in plaintext from an endpoint, even the highest password complexity offers zero protection.
  • The Hash Trap: Older FortiOS versions used the weaker SHA-256 algorithm for password hashes, which attackers cracked offline using massive GPU power. Fortinet switched to the much stronger PBKDF2 in newer firmware releases. The catch: These secure hashes are only generated if the administrator actively logs into the system after installing the update.
  • We’ve Noticed: Some support requests from concerned customers in the recent weeks. Their FortiGates were slow and they noticed a lot of failed admin login attempts coming from the internet. The clean solution was to close admin access on internet-facing interfaces. We suspect those negatively affected FortiGates stand in connection to FortiBleed.
    Fortinet has also observed this and already communicated some recommendations in their blog.
  • The NCSC (Switzerland): Is aware about the situation and informed some affected customers.
  • An Overview of the Leaked Credentials: Is available on this HudsonRock website.
  • A Checker Tool is available: On the SOCRadar website.
  • Fortinet is aware of the problem of internet-facing administrative access and repeats their recommendation over and over again:
  • If you secure your systems according to basic best practices, you are not affected by this leak: According to the BSI Grundschutz (NET.3.1.A4 Schutz der Administrationsschnittstellen (B) or ISO/IEC 27001:2022 (Requests strict segmentation of management- and data traffic) or 2.7. Unzureichende Absicherung von Administrationswerkzeugen), the PCI-DSS (1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted) and many more (CIS, NIST), management traffic needs to be specifically protected or even seperated.

Immediate Actions for FortiGate Administrators

As penetration testers and security experts, we urgently recommend completing this checklist immediately if you manage FortiGate systems:

  1. Isolate Management Interfaces: Admin Web UIs and SSH access must never be exposed to the public internet. Implement strict IP allowlists or enforce VPN-only access.
  2. Mandatory Password Rotation: Reset all administrative and VPN passwords immediately. Since the credentials have been leaked, clinging to old passwords poses an incalculable risk.
  3. Enforce MFA Consistently: Multi-Factor Authentication (MFA) is strictly mandatory for all external access and VPN gateways.
  4. Updates & Re-Authentication: Bring FortiOS up to the latest patch level (e.g., 7.2.11, 7.4.8, 7.6.1). Crucial step: You must log in at least once with every admin account afterward to trigger the migration to the secure PBKDF2 hashes.
    By executing the command sh system admin | grep ENC you can show all the hashes. Hashes that start with “SH2” are SHA256 (old) hashes, hashes that start with “PB2” are PBKDF2 (new) hashes.
    You can also prevent login for admin accounts that are using sha2 hashes.
    config system password-policy
    set login-lockout-upon-weaker-encryption enable # FortiOS 7.6 and above
    set login-lockout-upon-downgrade enable # FortiOS 7.4 and 7.2
    end
  5. Check Logs for Anomalies: Hunt for Indicators of Compromise (IoCs) such as unknown admin logins, newly created accounts (e.g., forticloud-sync or forticloud-tech), unusual VPN sessions outside of normal business hours, or modified firewall settings.
  6. If you suspect your FortiGate got hacked: Follow our guide Remediation Steps if your FortiGate got Hacked or Attacked.

More Information

You can find Fortinet’s own blog post here.

Loading

2 thoughts on “FortiBleed – the Full Story!

  1. Christian Reply

    Thanks, Valentin, for the clear and technically balanced write-up.
    The distinction is important: FortiBleed appears to be less about a new FortiOS vulnerability and more about exposed management interfaces, password spraying, leaked credentials and potentially cracked legacy password hashes.

    The PBKDF2 migration detail is especially relevant. A firmware upgrade alone may not be enough if existing admin hashes are only upgraded after a successful login.

    A few open points remain:

    How can administrators verify that all local admin accounts use PBKDF2?
    Which login methods trigger the hash migration?
    How reliable and current are the reported datasets and indicators?
    Are there additional IoCs beyond usernames and source IPs?

    The key takeaway remains unchanged: FortiGate management interfaces should not be directly exposed to the internet. Trusted hosts, local-in policies, MFA, central logging and strict management separation should be considered the minimum baseline.

    Thanks again for the detailed analysis and the practical recommendations.

    • vla Post authorReply

      Dear Christian
      Thank you for your comment to our blog article.
      I will answer your questions also in the blog post later.
      >How can administrators verify that all local admin accounts use PBKDF2?
      By executing the command “sh system admin | grep ENC” you can show all the hashes. Hashes that start with “SH2” are SHA256 (old) hashes, hashes that start with “PB2” are PBKDF2 (new) hashes.
      You can also prevent login for admin accounts that are using sha2 hashes.
      config system password-policy
      set login-lockout-upon-weaker-encryption enable # FortiOS 7.6 and above
      set login-lockout-upon-downgrade enable # FortiOS 7.4 and 7.2
      end

      >Which login methods trigger the hash migration?
      The hash migration is triggered upon any password-based login. In our testing, this was confirmed for both SSH and HTTPS.
      >How reliable and current are the reported datasets and indicators?
      This is difficult to assess with certainty. We are aware of at least one case where the FortiGate included in the dataset had not been online for approximately two years. Since internet-facing administrative access was never enabled on that device, we suspect the data originates from CVE-2018-13379 (PSIRT FG-IR-18-384). In cases where internet-facing admin access was enabled, CVE-2022-40684 would also be a plausible vector.
      >Are there additional IoCs beyond usernames and source IPs?
      We do not have any additional indicators at this time. Our general recommendation is to strictly separate management traffic from data traffic. When this separation is in place, any login attempt originating from an IP address outside the designated management network constitutes an IoC in itself.
      I hope this addresses your questions.
      Best regards from the
      Boll Tech Team

Leave a Reply

Your email address will not be published. Required fields are marked *