Update: FortiBleed exposes Fortinet credentials at global scale

Threat summary

As of June 24, 2026, multiple researchers have provided additional analysis that shows more clearly how the FortiBleed activity operates in practice. Earlier published credential datasets represent only a portion of the activity. FortiBleed is not a static leak but an ongoing collection and validation system that continuously generates new usable credentials across affected environments. 

Based on observed behavior and tooling, FortiBleed is assessed to be associated with a Russian‑speaking initial access broker (IAB) that focuses on credential‑based access and targets internet‑facing remote access and management interfaces using credential reuse and password‑based authentication attempts. The group’s activity is consistent with large‑scale scanning, credential testing, and automated validation workflows used to obtain and maintain access to perimeter systems.

The threat actors are enabling passive packet capture on compromised Fortinet FortiGate firewalls using a Golang‑based tool known as FortigateSniffer. This tool activates FortiOS diagnostic packet‑capture functions and collects live authentication traffic moving through the device. The captured data includes password hashes, session tokens, and other authentication artifacts from multiple protocols. This marks a shift from relying solely on previously leaked credentials to harvesting real‑time authentication material directly from network flows.

Researchers also confirmed that the component referred to as FortiBleed operates as a credential‑processing pipeline. Once attackers authenticate to a FortiGate device, they enable packet capture and continuously ingest authentication traffic. The collected material is transferred to attacker‑controlled infrastructure, processed offline, cracked when necessary, validated, and reused to access additional systems. This includes directory services, file‑sharing environments, and other authentication‑dependent systems. The process repeats as long as the firewall remains exposed, allowing attackers to accumulate new accounts even after organizations rotate passwords. This confirms that the campaign functions as an active, persistent collection operation, not a one‑time credential‑harvesting event.

The new findings also show that the campaign is leveraging built‑in FortiOS diagnostic commands, which allows the activity to blend into normal administrative operations and reduces opportunities for detection. The packet‑capture capability gives attackers visibility into authentication flows that pass through the firewall, including those unrelated to the Secure Sockets Layer Virtual Private Network (SSL VPN) portal. This includes Kerberos, Lightweight Directory Access Protocol (LDAP), and Server Message Block (SMB) authentication traffic when routed through the device, expanding the scope of compromise beyond VPN credentials.

Targeting patterns show a focus on small and medium‑sized businesses with fewer than 200 employees, with notable activity in the United States and India, and a strong emphasis on the information technology services sector. 

Analysis

The campaign is enabled by a combination of exposed remote access interfaces, valid credentials, and gaps in authentication controls. Threat actors target internet-facing login services such as remote access portals and administrative interfaces, where credential reuse and password-based authentication enable initial access. In environments where multi-factor authentication (MFA) is not enforced, a valid username and password is sufficient to gain entry.

Once access is established, compromised systems positioned in authentication paths are used to capture credentials from normal login activity. This allows attackers to collect additional authentication data without further intrusion. These credentials are then validated and reused across other systems, expanding access from a single entry point into broader internal environments. This creates a cycle where initial access leads to continuous credential collection, reuse, and expansion across services and environments.

Based on the typical target profile, organizations in the IT services sector, especially managed service providers (MSPs) that manage SMB environments, face the highest risk. These providers often maintain remote access into multiple customer networks, so a single compromised account can provide downstream access into many organizations, making them high-value targets in this campaign.

The most exposed organizations combine internet-accessible authentication services, reusable credentials, limited multi-factor authentication (MFA), and centralized access across systems or customers, where a single compromised account can scale into broad internal access.

Mitigations

For immediate remediation, limit exposure by restricting internet access to remote authentication and administrative interfaces and enforcing controlled access paths. Apply MFA across remote access and privileged accounts to reduce the effectiveness of credential reuse. Rotate administrative and user credentials to invalidate collected data, and monitor authentication logs, remote access activity, and directory service events to identify unauthorized access patterns. Review systems for signs of traffic capture or unauthorized monitoring activity to detect ongoing credential collection and limit further expansion.

Preventing campaigns like FortiBleed requires reducing reliance on passwords, limiting exposure of authentication services, and controlling how credentials are used across environments. Attackers succeed when internet-facing login systems accept reused or weak credentials without additional verification, so strengthening authentication with MFA, including phishing-resistant methods, removes a key access path. Placing remote access and administrative interfaces behind controlled access layers reduces the ability for attackers to discover and target them at scale.

Long-term defense depends on limiting how far a single credential can be used. Separating administrative and user access, enforcing least privilege, and avoiding shared or long-lived credentials reduces the impact of a compromise. Credentials collected in one system lose value when they cannot be reused across others, and segmenting identity access makes it harder for attackers to expand from an initial foothold.

Ongoing monitoring of authentication activity is important. Detecting abnormal login patterns, repeated authentication attempts, or unusual access paths helps identify credential misuse early. Combining this with inspection of systems that handle authentication traffic reduces the risk of those systems being used to capture credentials and supports earlier detection of this type of activity.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up