Home · Live brief · Daily brief 2026-06-20
FortiBleed reaches 86,644 compromised FortiGate devices; CISA issues emergency hardening guidance
Entities: FortiBleed
Part of run 2026-06-20-4cfd00ef (intel · Anthropic Claude (specific model not determined))
UPDATE — originally covered FortiBleed — 73,932 internet-facing FortiGate devices exposed, Russian-speaking group cracking credentials into Active Directory (2026-06-18)
UPDATE (originally covered 2026-06-18): The FortiBleed SSL VPN credential-harvesting campaign has grown from the 73,932 internet-facing FortiGate devices reported on 2026-06-18 to 86,644 confirmed compromised credentials across 194 countries, and CISA has published an emergency hardening advisory (SecurityWeek, 2026-06-19; CISA, 2026-06-18).
The new detail is methodology and impact: a Russian-speaking actor cracked SSL VPN password hashes with a 45-GPU Hashtopolis cluster, after which the actors pivot into internal Active Directory using harvested service and admin accounts (BleepingComputer, 2026-06-19). CISA's guidance mandates immediate SSL VPN session termination, full credential resets, enforcement of PBKDF2 (replacing the older MD5-crypt admin-hash scheme), and phishing-resistant MFA on all remote access. Defenders should cross-reference SSL VPN session logs against the Shadowserver notification feed and hunt for sequential VPN authentication failures from rotating residential IP ranges followed by a success and immediate internal RDP/SMB/LDAP reconnaissance.