UPDATE: FortiBleed — first full tool-chain disclosure (FortigateSniffer, SNIFTRAN, GPU cracking cluster); Fortinet confirms no new CVE

UPDATE (originally covered 2026-06-18, last 2026-06-20): New analysis published 2026-06-22 gives the first complete tool-chain picture of the FortiBleed credential-harvesting campaign. The operators deploy a purpose-built Golang tool, FortigateSniffer, that abuses FortiOS's native diagnose sniffer packet diagnostic command to capture authentication traffic on a compromised FortiGate; a second tool, SNIFTRAN, converts the captured traffic to PCAP, which a Python toolkit then parses for cleartext credentials, NTLM hashes, Kerberos tickets and LDAP/SQL auth material across ~24 protocols (BleepingComputer, 2026-06-22; SOCRadar, 2026-06-16).

Fortinet's PSIRT response confirms the campaign uses no new vulnerability — it reuses credentials from the previously-disclosed CVE-2026-24858, CVE-2025-59718 and CVE-2025-59719 plus brute force against devices lacking strong passwords and MFA (Fortinet PSIRT, 2026-06-19; SecurityWeek, 2026-06-22). Reported tradecraft includes a distributed 36-GPU cluster — rented from a generative-AI provider, per BleepingComputer — for offline cracking of the harvested hashes; SOCRadar characterises the operators as Russian-speaking (SOCRadar, 2026-06-16).

The delta for defenders is a concrete detection surface that earlier coverage lacked: FortiOS audit-logs diagnose sniffer packet execution, so hunt for unexpected CLI sniffer invocations and stray PCAP files on the appliance, and — because harvested AD credentials are the downstream prize — treat all domain credentials on any FortiBleed-corpus device as compromised and force a domain-wide rotation, watching for anomalous Kerberos service-ticket requests (event 4769) and new-source Logon Type 3 events (4624) against privileged accounts. Upgrade to firmware with PBKDF2 password hashing to make offline cracking expensive, terminate active sessions, enable MFA and disable external management access.