CISA is urging Fortinet customers with FortiGate appliances to secure their devices against an ongoing campaign dubbed FortiBleed, believed to be the work of Russian-speaking threat actors. As of June 19, 2026, the number of compromised devices stands at 86,644.
According to SOCRadar data, generic admin accounts (35%) and built-in Fortinet system accounts (28.3%) together make up the majority of compromised credentials. Organization-specific accounts account for 36.7% of the remaining breached credentials.
SOCRadar said this points to a widespread failure to rename default accounts or rotate factory credentials, giving attackers a highly reliable target list without needing brute force. The fact that org-specific accounts are well-represented means attackers have also compromised accounts created by organizations themselves, possibly sourced from prior breaches where passwords were never changed.
Telecom, government, and education are the top three impacted sectors, with the most exposures in India, the US, Mexico, Colombia, and Thailand.
The threat actors mass-scanned the internet for Fortinet remote login endpoints, then used a bespoke tool to spray those endpoints with known login and password combinations. Once access is obtained, they passively monitor network traffic through compromised devices to collect additional credentials, which are then used to compromise more appliances.
The UK NCSC described FortiBleed as a global campaign targeting internet-facing Fortinet firewalls and VPN gateways using brute-force, dictionary attacks, and credential stuffing. Arctic Wolf noted that Fortinet introduced PBKDF2-based password hashing in FortiOS 7.2.11, 7.4.8, and 7.6.1, but existing passwords remain stored as weaker SHA-256 hashes until an administrator logs in after upgrading.
Fortinet stated the data involved is likely a resharing of data from previous incidents, including CVE-2026-24858, CVE-2025-59718, and CVE-2025-59719, along with brute-forcing of weak credentials. CISA recommends resetting all Fortinet VPN and admin passwords, enabling phishing-resistant MFA, and reviewing logs for suspicious activity.
