Cyber Insights: FortiBleed Credential Harvesting Campaign Targets Fortinet FortiGate Firewalls



Security researchers have identified a large-scale credential harvesting campaign, dubbed FortiBleed, that is actively targeting internet-facing Fortinet FortiGate firewalls. Rather than exploiting a newly disclosed software vulnerability, the campaign focuses on stealing credentials and abusing exposed management services to gain persistent access to enterprise networks.
According to public reporting, the operation has targeted more than 430,000 FortiGate devices across 194 countries and is believed to have harvested in excess of 110 million credentials through a combination of brute-force attacks, credential validation, passive credential collection, and offline password cracking.
Researchers assess the activity to be the work of a financially motivated Initial Access Broker (IAB), whose primary objective is to obtain valuable enterprise credentials before selling or using that access in follow-on attacks such as ransomware, data theft, or espionage.
Because FortiGate appliances often sit at the edge of corporate networks, organisations should treat this campaign as a significant credential compromise threat rather than simply another firewall advisory.
Unlike many recent threat bulletins, FortiBleed is not centred around a single critical vulnerability (CVE). Instead, it is a coordinated campaign designed to compromise Fortinet appliances by targeting exposed management interfaces and weak authentication controls.
The attackers reportedly begin by identifying internet-facing FortiGate devices before attempting credential stuffing, SSH brute-force attacks, and password validation against administrative services. Once valid credentials are obtained, compromised firewalls can be abused to collect additional authentication material passing through the appliance.
Researchers describe the use of a Golang-based tool known as FortigateSniffer, which reportedly leverages legitimate FortiOS packet capture functionality to collect credentials traversing the firewall. Those credentials are then processed using offline password-cracking infrastructure before being used or sold to other threat actors.
Firewalls are among the most trusted and privileged devices within any network. They sit at the perimeter, control access into critical systems, and often handle VPN authentication for remote users.
A successful compromise therefore extends well beyond the firewall itself.
Attackers may gain access to:
From there, they can establish persistence, move laterally through the environment, stage ransomware attacks, or sell access to other criminal groups.
This is one of the reasons Initial Access Brokers continue to focus on network security appliances. Valid enterprise access commands a high value within the cybercriminal ecosystem and can significantly reduce the effort required for subsequent attacks.
FortiBleed follows a structured attack chain designed to maximise the number of credentials harvested while remaining operationally efficient.
The campaign begins with large-scale internet reconnaissance to identify exposed FortiGate appliances. Attackers then attempt to authenticate using brute-force techniques, credential stuffing, and previously compromised passwords.
Where access is obtained, the firewall itself becomes a credential collection point. Legitimate diagnostic functionality is reportedly abused to capture authentication material passing through the appliance, including VPN and enterprise authentication traffic.
Finally, harvested credentials are processed using offline cracking infrastructure before being reused, sold, or leveraged in follow-on intrusions.
Unlike traditional attacks that focus on exploiting a software flaw, FortiBleed relies on weak credentials, exposed services, and poor administrative security practices.
Public reporting suggests the campaign has targeted organisations across multiple sectors, although small and medium-sized businesses appear to be particularly affected.
Industries highlighted include:
The campaign has also reportedly targeted other internet-facing technologies beyond FortiGate appliances, including Sophos firewalls, Citrix VPN gateways, Synology NAS devices, RDWeb portals, and Microsoft SQL servers.
This broader targeting reinforces that attackers are actively searching for externally accessible infrastructure capable of providing privileged access into enterprise environments.
While credential rotation is an immediate priority, organisations should also review historical activity for signs of compromise.
Security teams should investigate unusual administrator logins, particularly those originating from unfamiliar locations or new source IP addresses. High volumes of failed VPN or SSH authentication attempts followed by a successful login may also indicate credential validation activity.
Additional behaviours worth reviewing include:
Because the campaign focuses on credential harvesting rather than malware deployment, authentication telemetry and firewall audit logs become some of the most valuable sources of evidence.
Organisations operating Fortinet infrastructure should begin by identifying every internet-facing FortiGate appliance within their environment and reviewing whether management interfaces or SSL-VPN services remain publicly accessible.
As a priority, administrator passwords and VPN credentials should be rotated, even where there is no evidence of compromise. Multi-factor authentication should be enforced for both administrative and remote access accounts, while unused local administrator accounts should be removed wherever possible.
Access to management interfaces should be restricted to trusted IP ranges, and FortiOS should be updated to the latest supported release.
Beyond immediate remediation, organisations should review password reuse across administrative accounts, monitor authentication activity for anomalous behaviour, and ensure firewall logs are forwarded into a SIEM or central monitoring platform for ongoing analysis.
FortiBleed should be viewed as a high-impact credential compromise campaign rather than a traditional vulnerability advisory.
The reported scale of targeting, combined with the privileged position FortiGate appliances occupy within enterprise networks, makes this activity particularly significant. Once a firewall or VPN credential has been compromised, attackers may be able to pivot into Active Directory, cloud services, and other critical business systems without exploiting additional vulnerabilities.
Although the campaign has focused heavily on Fortinet infrastructure, the underlying techniques—credential harvesting, password reuse, exposed management services, and inadequate MFA—are common across many enterprise environments.
For defenders, this serves as another reminder that protecting identities is becoming just as important as protecting endpoints.
FortiBleed demonstrates why continuous monitoring of authentication activity and perimeter infrastructure is essential. Following publication of the threat intelligence, NormCyber’s Security Operations Centre reviewed the reported attack techniques and mapped them against our existing detection capabilities. As a result, we have implemented new FortiGate detections covering several key stages of the FortiBleed attack chain, including administrator authentication, account enumeration, account manipulation, repeated failed login attempts followed by successful access, and the use of FortiGate’s diagnostic packet capture functionality.
Combined with our existing monitoring of Windows authentication events, identity activity, and firewall telemetry, these detections enable our analysts to identify potential credential harvesting activity at an earlier stage and investigate suspicious behaviour before it develops into a wider compromise. Alongside our Managed Detection and Response (MDR) service, this provides customers with continuous monitoring of perimeter infrastructure, expert-led threat hunting, and rapid incident response to help reduce the risk of credential theft, ransomware staging, and unauthorised access.
Primary:
Fortinet PSIRT – Analysis of Reported Credential Compromise of FortiGate Devices