A newly uncovered cybercrime operation dubbed FortiBleed has exposed administrative credentials for approximately 75,000 Fortinet FortiGate firewalls, potentially giving attackers direct access to corporate networks around the world.
The data appears to be recent, affecting organizations across 194 countries, and includes working credentials for thousands of major enterprises, government agencies, and critical infrastructure operators.
The discovery was first disclosed by security researcher Volodymyr “Bob” Diachenko, who revealed on LinkedIn that threat actors had compiled massive lists of FortiGate systems along with what appeared to be valid credentials recovered from compromised devices. According to Diachenko, one dataset alone contained more than 21,600 domains, including organizations ranging from Chevron to Fortinet itself.
Further analysis conducted by Kevin Beaumont with assistance from researchers at Hudson Rock confirmed that the leaked data is authentic and significantly larger than previously known Fortinet credential exposures. Beaumont reported that the dataset contains information from roughly 75,000 Fortinet devices, many of which remain accessible online and appear to have been compromised recently.
Fortinet is a major cybersecurity vendor whose FortiGate appliances are widely deployed as firewalls, VPN gateways, and network security platforms by enterprises, government agencies, educational institutions, and service providers. Because these devices often sit at the edge of corporate networks, administrative access to a FortiGate firewall can provide attackers with extensive control over internal systems and security infrastructure.
According to Hudson Rock's report, the dataset contains records associated with 73,932 unique firewall URLs and 21,632 affected domains spanning nearly every industry sector. High-profile organizations reportedly appearing in the data include Foxconn, Samsung, Comcast, Siemens, Lenovo, PwC, Accenture, and Oracle, alongside numerous government entities and critical infrastructure providers.
Billion-scale brute-force operation
Diachenko's investigation suggests the operation was conducted by a sophisticated Russian-speaking cybercriminal group that relied on large-scale automation and password-cracking infrastructure.
Researchers estimate the attackers performed approximately 1.16 billion login attempts against more than 320,000 FortiGate targets, while simultaneously conducting an additional 2.1 billion brute-force attempts against over 160,000 Microsoft SQL Server instances.
The attackers reportedly used a dedicated 45-GPU password-cracking cluster managed through Hashtopolis to recover credentials from captured authentication material and exported configuration files. Once access was obtained, the group allegedly moved laterally into victims' internal environments, targeting Active Directory infrastructure and establishing persistent access.
Hudson Rock says Diachenko documented successful compromises affecting organizations in Japan, Taiwan, Vietnam, Iraq, and Turkey. One case reportedly involved a Turkish defense contractor where sensitive documents were allegedly exfiltrated.
How the passwords were recovered
The exact source of the leaked configuration files remains unclear.
Beaumont noted that the data appears to originate from FortiGate configuration exports, containing information normally visible only from within the device itself. Unlike the “Belsen Group” leak disclosed earlier, which involved approximately 15,000 devices compromised through a 2022 FortiGate zero-day vulnerability, the newly discovered dataset largely consists of different systems and appears to reflect ongoing or recent compromises.
Researchers suspect attackers may have obtained configuration backups through one of the many Fortinet vulnerabilities disclosed over recent years, though no specific exploit has been confirmed.
A key factor may be the way FortiGate devices historically stored administrator credentials. Beaumont noted that Fortinet introduced stronger password protection in early 2025 by moving to PBKDF2-based hashing, but the protection only took effect after administrators logged in following the firmware upgrade.
As a result, many systems reportedly continued storing passwords using older salted SHA-256 hashes, which can be susceptible to offline brute-force attacks when configuration files are stolen. Once attackers obtained the configuration files, they could recover plaintext credentials and use them to log directly into exposed management interfaces.
Nearly half of internet-facing Fortinet devices affected
One of the most alarming findings is the scale of the exposure. Beaumont estimates the dataset represents roughly 50% of all Fortinet firewall devices currently exposed to the internet, with many affected systems having their management interfaces directly accessible online.
The leaked records reportedly include additional metadata such as company names, industry classifications, revenue information, and geographic locations—formatting that Beaumont says resembles data packages commonly traded in cybercrime markets for the sale of initial network access.
Recommended actions
Organizations using FortiGate appliances should immediately:
- Rotate all administrator passwords.
- Upgrade to the latest FortiOS release.
- Ensure administrators log in after upgrades so credentials are rehashed using PBKDF2.
- Enable multi-factor authentication for all administrative accounts.
- Remove internet exposure of FortiOS management interfaces whenever possible.
- Review logs for unauthorized administrative access.
- Audit devices for unauthorized accounts, configuration changes, and persistence mechanisms.
- Consider device replacement if evidence of compromise is discovered.
Because the origin of the stolen configuration data remains unknown, affected organizations should assume compromise until proven otherwise and conduct thorough investigations of exposed systems and connected networks.
Leave a Reply