FortiBleed — Russian-speaking operator cracking 86,644 FortiGate credentials into Active Directory

If you did nothing this week: any internet-facing FortiGate whose admin or SSL VPN credentials are in the "FortiBleed" corpus is a live initial-access foothold right now — patch level is irrelevant, because the leaked credential is the weapon, and the operator is already pivoting from validated VPN logins into internal Active Directory.

The FortiBleed dataset surfaced on 2026-06-17 as 73,932 unique FortiGate management URLs (~75,000 devices across 194 countries) paired with valid VPN and administrative credentials (BleepingComputer, 2026-06-17; daily 06-18). By 2026-06-19 the verified count had grown to 86,644 confirmed working credentials and CISA had issued an emergency hardening advisory (SecurityWeek, 2026-06-19; daily 06-20). Fortinet's PSIRT confirmed the campaign ties to previously disclosed incidents (FG-IR-26-060 / FG-IR-25-647) and that the credentials originated from exported device configurations — its position is that this is not a new CVE, the corpus being a reshare of prior-incident data combined with large-scale brute-forcing (Fortinet PSIRT, 2026-06-19) — but that distinction is cold comfort operationally: the credentials validate. The methodology that emerged this week is the load-bearing detail. A Russian-speaking actor intercepts SSL VPN authentication, cracks the captured hashes on a 45-GPU Hashtopolis cluster, and then uses the recovered service and admin accounts to move laterally into internal Active Directory (T1078 valid accounts following T1110 credential cracking).

The escalation that makes this § 1 rather than a routine credential-leak note is the AD pivot plus CISA's mandated response: terminate all SSL VPN sessions, reset every credential, migrate admin-hash storage from the older MD5-crypt scheme to PBKDF2, and enforce phishing-resistant MFA on all remote access. FortiGate is ubiquitous on Swiss and EU public-sector and telco perimeters, so treat any exposed device's local admin and VPN secrets as potentially in the corpus regardless of firmware version. Hunt for sequential VPN authentication failures from rotating residential IP ranges followed by a success and immediate internal RDP/SMB/LDAP reconnaissance, and cross-reference SSL VPN session logs against the Shadowserver notification feed.