Advisory
Advisory on Credential Compromise of FortiGate Devices ("FortiBleed")
22 June 2026
A threat actor has leaked credentials of over 70,000 FortiGate devices worldwide, making them vulnerable to network intrusions. Check access control configurations of FortiGate devices immediately.
Background
Fortinet firewalls and VPN gateways were targeted in a credential-harvesting campaign referred to as "FortiBleed." A database of credentials was leaked by a threat actor following brute-force, dictionary and credential stuffing attempts against internet-facing FortiGate and VPN portals.
Credential stuffing is a method where attackers use passwords stolen from one service to try to access accounts on other services, taking advantage of any reuse of username and password combinations.
Impact
Threat actors may gain unauthorised administrative or VPN access to affected FortiGate appliances, which could subsequently be used for lateral movement into the internal network, unauthorised configuration changes, or further compromise of connected systems such as Active Directory (AD) or LDAP infrastructure.
What You Can Do
Check whether your organisation may have been affected. Use one of the following tools to determine if your organisation is present in the compromised dataset:
Terminate sessions and reset credentials. Terminate all active administrative and VPN sessions. Reset all Fortinet VPN and administrative passwords, particularly on internet-facing systems, and enforce strong password policies.
Implement MFA. Enable multi-factor authentication (MFA) on all administrator and VPN user accounts.
Enable PBKDF2. Upgrade to the latest versions of FortiOS 7.4, 7.6, or 8.0, which support PBKDF2 hashing of administrator credentials. Remove legacy password hashing settings using the set login-lockout-upon-weaker-encryption command.(See: Fortinet Technical Tip: Enforcing PBKDF2 as Hash Function for Administrator Accounts in FortiOS v7.2.11 and later: https://community.fortinet.com/fortigate-3/technical-tip-enforcing-pbkdf2-as-hash-function-for-administrator-accounts-in-fortios-v7-2-11-and-later-220652)
Validate configuration. Review firewall, VPN user, and other configuration settings for unauthorised changes. Where possible, compare current configuration against a known-good baseline. Pay particular attention to unrecognised accounts (e.g., names such as forticloud, fortiuser, fortinet-support, fortinet-tech-support).
Review logs. Check logs for unexpected administrator access from unknown IP addresses, and review domain controller logs for signs of lateral movement, unusual access, suspicious accounts, or unauthorised configuration changes.
Reduce attack surface and lock down management access. Restrict external management access via trusted hosts, apply a local-in policy, or disable internet-facing administrative access entirely where feasible.
Consider a factory reset of the device. Changing credentials alone may not be sufficient if threat actors have obtained persistence on the device (See: Technical Tip: How to reset to Factory Default configuration: https://community.fortinet.com/fortigate-3/technical-tip-how-to-reset-to-factory-default-configuration-using-external-button-100037). Ensure you have obtained logs, configs and other artefacts from the device which may be useful for investigations, as these will be destroyed during the factory reset process.
Conclusion
Organisations operating FortiGate devices, particularly those with internet-facing administrative or VPN access, are encouraged to implement the mitigation measures above as a matter of priority, and to remain vigilant for indicators of unauthorised access.
Reference