FortiBleed: 73,932 Fortinet Firewalls Leaked — Inside the Breach Shaking the Internet

Category
Cybersecurity
Explore more in this category
A Russian-speaking crew dumped working credentials for nearly half of the internet-facing FortiGate fleet across 194 countries. Here is what FortiBleed actually is, who is exposed, and what to do in the next 24 hours.
On June 17, 2026, a dataset began circulating on Russian-speaking criminal forums that security researchers are calling the largest single perimeter-device exposure ever publicly verified. Dubbed FortiBleed, it contains usernames, passwords, and management URLs for 73,932 unique Fortinet FortiGate firewalls and VPN concentrators across 194 countries — roughly half of every FortiGate device currently reachable from the public internet. By June 19, CISA had issued an emergency advisory urging every Fortinet customer to assume compromise until proven otherwise.
What FortiBleed actually is
FortiBleed is not a new CVE. It is the consolidated harvest of years of FortiOS vulnerabilities — most notably the SSL-VPN path-traversal and authentication-bypass flaws tracked as CVE-2022-40684, CVE-2023-27997 and CVE-2024-21762 — stitched together with credentials pulled from infostealer logs sold on Genesis-style markets. Researchers at watchTowr and the Shadowserver Foundation independently confirmed that a meaningful share of the leaked credentials still authenticate successfully, meaning attackers can log in today, not "potentially" tomorrow.
The dump is structured: each record contains the device's HTTPS management URL, a verified local or LDAP-bound username, the plaintext password, and in many cases the device's serial number and firmware version. That last detail is what makes this so dangerous — defenders cannot simply assume old patches saved them. The data tells the attacker exactly which exploit chain still works on each box.
Who is exposed
The 74,000 affected organizations span every sector and continent. Reporting from SOFX, TechTimes and Cyber Security News has already named Oracle, Samsung, Lenovo and at least one NATO logistics contractor among the verified victims, alongside thousands of municipal governments, hospitals, manufacturers and managed service providers. The geographic spread roughly mirrors Fortinet's global market share: heavy clusters in the United States, Germany, Japan, India, Brazil and across the European Union.
The uncomfortable truth is that FortiGate devices sit at the network edge. A working credential on the firewall is not "a foothold" — it is full visibility into VPN traffic, the ability to pivot to internal networks, mint new admin accounts, push malicious SSL-VPN portals to employees, and disable logging on the way in.
Why this one is different
We have seen big credential dumps before. FortiBleed is worse for three reasons.
First, the credentials are live. Most password dumps are months or years stale by the time they leak. Independent honeypot operators report successful logins against tagged decoy devices within hours of the dump appearing.
Second, the targets are perimeter devices, not user accounts. A reused Netflix password is annoying. A working admin password on the box that terminates your corporate VPN is a worst-case scenario.
Third, the attacker already knows the firmware. Defenders cannot hide behind "we patched eventually." If your device was vulnerable at any point in the last three years and the credential was captured then, it is in this dump now.
What to do in the next 24 hours
If you operate any Fortinet device with a public-facing management interface or SSL-VPN portal, treat the next day as an incident response window, not a maintenance window.
1. Take management interfaces off the public internet. There is no business case for exposing FortiGate admin to the world. Restrict to a jump host or out-of-band network immediately. 2. Rotate every credential on the device — local admin accounts, API tokens, LDAP/RADIUS bind accounts, IPsec pre-shared keys, and SSL-VPN user passwords. Assume all of them are in the dump. 3. Force MFA on SSL-VPN if you have not already. FortiToken, TOTP, or an external IdP — anything is better than password-only. 4. Hunt for persistence. Check for unexpected admin accounts, modified SSL-VPN portal HTML, new automation stitches, disabled logging, and unfamiliar source IPs in the last 90 days of authentication logs. Pay particular attention to logins immediately followed by configuration changes. 5. Upgrade to the latest FortiOS branch for your model, even if you believe you are current. Several of the exploited CVEs were re-patched in 2025 after incomplete fixes. 6. Notify your cyber insurer and, where required, your regulator. In the EU, NIS2 reporting clocks may already be ticking. In the US, SEC Item 1.05 disclosure obligations apply to public companies once materiality is determined.
The bigger lesson
FortiBleed is the predictable end state of a decade of decisions: edge devices treated as appliances rather than servers, management planes left on the public internet because "the vendor said it was fine," and password-only VPN access tolerated long after the rest of the industry moved on. The vulnerabilities that fed this dump were patched. The exposures that made the patches irrelevant — internet-exposed admin, no MFA, no credential rotation, no egress monitoring on the firewall itself — were not.
The firewalls in this dump did not fail because Fortinet shipped bad code. They failed because we kept asking a single box at the edge of the network to be both the guard and the gate, and we never assumed it would lose.
Assume your perimeter is hostile. Architect like the firewall is already owned. That is the only posture FortiBleed leaves room for.
References and further reading
- CISA Emergency Advisory: FortiBleed — Fortinet FortiGate Credential Leak (June 19, 2026)
- watchTowr Labs: FortiBleed Technical Analysis — How 74,000 FortiGate Devices Were Harvested
- Shadowserver Foundation: FortiBleed Exposure Dashboard and Verified Victim Data
- Fortinet PSIRT Advisory: SSL-VPN Path Traversal and Authentication Bypass (CVE-2022-40684)
- Fortinet PSIRT Advisory: Heap-based Buffer Overflow in SSL-VPN (CVE-2023-27997)
- Fortinet PSIRT Advisory: Out-of-Bounds Write in SSL-VPN (CVE-2024-21762)
- Cyber Security News: FortiBleed — 73,932 Firewalls Leaked, Major Corporations Affected
- TechTimes: FortiBleed Breach Exposes Samsung, Oracle, Lenovo and NATO Contractor Data
- SOFX Cyber Intelligence: FortiBleed — The Largest Perimeter-Device Exposure on Record




