FortiGate credential-reuse vector referenced in FortiBleed campaign

cve · CVE-2025-59718

Coverage timeline

first 2026-06-23 → last 2026-06-23

Briefs

1 distinct

Sources cited

13 hosts

Sections touched

—

Co-occurring entities

see Related entities below

Story timeline

2026-06-23CTI Daily Brief — 2026-06-23

Source distribution

bleepingcomputer.com3 (19%)
securityweek.com2 (12%)
fortinet.com1 (6%)
socradar.io1 (6%)
advisory.splunk.com1 (6%)
arcticwolf.com1 (6%)
bankinfosecurity.com1 (6%)
cisa.gov1 (6%)
other5 (31%)

Related entities

FortiBleed — 73,932 FortiGate device credentials exposed; active Russian-speaking brute-force/AD-lateral campaign
incidentincident:fortibleed-fortigate-credential-exposure×1
FortiGate credential-reuse vector referenced in FortiBleed campaign
cveCVE-2025-59719×1
FortiGate credential-reuse vector referenced in FortiBleed campaign
cveCVE-2026-24858×1
UPDATE: Chaotic Eclipse Windows zero-days — MiniPlasma is third PoC (cldflt.sys CfAbortHydration, claimed CVE-2020-17103 regression on fully patched Win11)
campaignitem:windows-zero-day-proliferation-yellowkey-greenplasma-minipla×1
UPDATE: Grafana Labs CoinbaseCartel — victim confirms source-code-only theft via Pwn-Request, no customer data, ransom rejected on FBI guidance
incidentitem:grafana-labs-coinbasecartel-pwn-request-github-actions-breac×1
UPDATE: TeamPCP / Shai-Hulud — first copycat wave (OX Security npm packages w/ Phantom Bot + SSH/cloud stealers); Checkmarx Jenkins plugin trojanised (third in three months); SentinelLabs PCPJack rival worm
campaignitem:teampcp-shai-hulud-copycat-wave-ox-security-checkmarx-pcpja×1

External references

NVD · cve.org · CISA KEV

All cited sources (16)

Items in briefs about FortiGate credential-reuse vector referenced in FortiBleed campaign (1)

UPDATE: FortiBleed — first full tool-chain disclosure (FortigateSniffer, SNIFTRAN, GPU cracking cluster); Fortinet confirms no new CVE

From CTI Daily Brief — 2026-06-23 · published 2026-06-23 · view item permalink →

UPDATE (originally covered 2026-06-18, last 2026-06-20): New analysis published 2026-06-22 gives the first complete tool-chain picture of the FortiBleed credential-harvesting campaign. The operators deploy a purpose-built Golang tool, FortigateSniffer, that abuses FortiOS's native diagnose sniffer packet diagnostic command to capture authentication traffic on a compromised FortiGate; a second tool, SNIFTRAN, converts the captured traffic to PCAP, which a Python toolkit then parses for cleartext credentials, NTLM hashes, Kerberos tickets and LDAP/SQL auth material across ~24 protocols (BleepingComputer, 2026-06-22; SOCRadar, 2026-06-16).

Fortinet's PSIRT response confirms the campaign uses no new vulnerability — it reuses credentials from the previously-disclosed CVE-2026-24858, CVE-2025-59718 and CVE-2025-59719 plus brute force against devices lacking strong passwords and MFA (Fortinet PSIRT, 2026-06-19; SecurityWeek, 2026-06-22). Reported tradecraft includes a distributed 36-GPU cluster — rented from a generative-AI provider, per BleepingComputer — for offline cracking of the harvested hashes; SOCRadar characterises the operators as Russian-speaking (SOCRadar, 2026-06-16).

The delta for defenders is a concrete detection surface that earlier coverage lacked: FortiOS audit-logs diagnose sniffer packet execution, so hunt for unexpected CLI sniffer invocations and stray PCAP files on the appliance, and — because harvested AD credentials are the downstream prize — treat all domain credentials on any FortiBleed-corpus device as compromised and force a domain-wide rotation, watching for anomalous Kerberos service-ticket requests (event 4769) and new-source Logon Type 3 events (4624) against privileged accounts. Upgrade to firmware with PBKDF2 password hashing to make offline cracking expensive, terminate active sessions, enable MFA and disable external management access.