FortiBleed — 73,932 internet-facing FortiGate devices exposed, Russian-speaking group cracking credentials into Active Directory
From CTI Daily Brief — 2026-06-18 · published 2026-06-18 · view item permalink →
A dataset branded "FortiBleed" surfaced on 2026-06-17 containing 73,932 unique FortiGate management URLs — roughly 75,000 devices across 194 countries and 21,632 domains — paired with valid VPN and administrative credentials (BleepingComputer, 2026-06-17). Fortinet's position is that this is not a new vulnerability: the corpus is a reshare of data from previous incidents combined with large-scale brute-forcing, and the credentials were validated as working. Per BleepingComputer, a Russian-speaking actor is performing systematic credential validation, offline password cracking and onward lateral movement into Active Directory at fully-compromised organisations in several countries (BleepingComputer, 2026-06-17); Arctic Wolf is separately tracking the FortiBleed campaign's reach across 194 countries (Arctic Wolf, 2026-06-17). The technique class is valid-account abuse (T1078) following credential access, not exploitation of a fresh CVE.
Why it matters to us: FortiGate is ubiquitous on Swiss and EU public-sector perimeters. Treat any internet-exposed FortiGate's local admin and VPN credentials as potentially in the corpus regardless of patch level — patching does not rotate an already-leaked credential. Force admin and VPN password resets, enforce MFA on all administrative and VPN logins, restrict the management interface off the WAN, and review FortiGate admin-login audit events and downstream domain-controller authentication (Windows EID 4624/4768) for logins from unexpected source addresses.