FortiBleed: Large-Scale Credential Harvesting Campaign Targeting 430,000+ FortiGate Firewalls Globally
A Russian-speaking initial access broker has been conducting a sustained credential-harvesting campaign against FortiGate firewalls since February 2026, compromising over 430,000 devices globally and harvesting approximately 110 million credentials. This represents a significant threat to enterprise network security infrastructure and likely serves as a precursor to deeper compromise or sale of access.
Affected
FortiBleed represents a mature, financially-motivated campaign that has achieved unprecedented scale in targeting network edge devices. The campaign's operational tempo since February 2026 indicates sustained access, resource investment, and confidence in operational security. The harvesting of 110 million credentials across 430,000 compromised firewalls suggests either weak credential management practices across target organisations or exploitation of a systemic vulnerability in credential exposure from FortiGate systems.
The methodological progression described (credential collection, service discovery, brute-force attacks, then bespoke deployment) follows a classic initial access broker workflow. The specificity of targeting FortiGate devices indicates either: a known vulnerability being exploited at scale, weak default configurations in deployed firewalls, or compromise of credential repositories used for FortiGate administration. The bespoke deployment stage is particularly concerning, as it suggests attackers are customising payloads for individual targets rather than deploying generic malware, increasing the probability of successful secondary compromise.
From a defence perspective, organisations should immediately audit FortiGate administrator credentials, enforce multi-factor authentication on all administrative interfaces, and review firewall logs for suspicious authentication attempts or configuration changes. Network teams should prioritise patching any known vulnerabilities in deployed FortiGate versions and implementing segmentation to limit the blast radius if firewall compromise occurs. The fact that an IAB has achieved this scale suggests the vulnerability or misconfiguration is not exotic: it likely affects thousands of additional organisations who have not yet detected compromise.
The broader implication is a shift in attacker tactics from endpoint-centric campaigns towards network perimeter infrastructure. FortiGate devices are attractive targets because they provide immediate access to internal network traffic, credential interception opportunities, and persistence mechanisms. A compromised firewall is vastly more valuable than a compromised workstation, justifying the investment in large-scale scanning and exploitation. This campaign will likely inspire similar efforts targeting other firewall and network access products.
Organisations should treat this as a potential supply chain or mass-exploitation event and conduct threat hunting for indicators of compromise. The sale of 110 million credentials and access to 430,000 firewalls would represent substantial financial value; assume that some of this access has already been sold to other threat actors or monetised through extortion attempts against affected organisations.
Sources