FortiBleed: 86,000 Fortinet Firewalls Compromised — Is Your VPN in the Dataset?
On June 17, 2026, security researcher Volodymyr "Bob" Diachenko and threat-intelligence firm Hudson Rock disclosed what they named FortiBleed: a dataset of working login credentials tied to 73,932 Fortinet FortiGate firewall and SSL VPN URLs spanning 194 countries. By June 19, CISA had issued an advisory urging immediate action. As of this writing, the verified compromised-device count has climbed past 86,000 and is still growing.
This isn't a single zero-day. It's the compounded interest on years of deferred patching, crackable legacy password storage, and credential reuse — and Fortinet firewalls are the perimeter device of choice for an enormous chunk of small and mid-size businesses worldwide.
How FortiBleed Actually Worked
The operation was multi-stage. Researchers attribute it to a Russian-speaking threat group that ran approximately 1.16 billion credential-stuffing attempts against more than 320,000 internet-facing FortiGate targets. That scale alone isn't unusual — the combination of factors that made it this effective is.
Old CVEs, never patched. Fortinet has been dealing with high-severity authentication bypass and remote code execution flaws for years. Three in particular — CVE-2022-40684, CVE-2023-27997, and CVE-2024-55591 — gave attackers the ability to extract configuration files and reach management interfaces without valid credentials. The patches existed. Widespread patching didn't happen.
Weak password hashing, with a nasty upgrade trap. FortiOS versions prior to 7.2.11, 7.4.8, and 7.6.1 stored administrator credentials as SHA-256 hashes — fast to compute and parallelizable on modern GPUs. Fortinet switched to PBKDF2-based storage (deliberately slow and computationally expensive) in those newer releases. But there is a critical catch: upgrading FortiOS does not automatically rehash existing passwords. An administrator has to log in interactively after the upgrade for the conversion to take effect. On thousands of devices, that step never happened.
Credential reuse. A substantial portion of the compromised credentials were recycled from earlier breaches and infostealer campaigns. Even organizations that had never been directly breached appeared in the dataset because staff were reusing passwords from other compromised services.
The result: plaintext usernames and passwords for firewall admin accounts, SSL VPN endpoints, and full device configuration exports — along with business-intelligence data (company size, revenue, industry) — for tens of thousands of organizations across government, telecom, healthcare, finance, education, and manufacturing.
Who Is in the Dataset
Hudson Rock's analysis found entries tied to Samsung, Comcast, Siemens, Lenovo, PwC, Accenture, Oracle, and numerous government agencies. The heaviest geographic concentrations are India, the United States, Mexico, Colombia, and Thailand. Telecom is the hardest-hit sector with more than 5,600 entries; government follows with 591 entries spanning 111 domains. Security researchers Kevin Beaumont and others have verified the data's authenticity independently.
But the enterprise names make the headlines — small businesses are likely the majority of the affected count. Fortinet's FortiGate line is pervasive at the SMB level precisely because it delivers capable perimeter security at a manageable price point. If your organization runs a dedicated firewall appliance, there is a reasonable chance it is FortiGate. You can check whether your device appears in the FortiBleed dataset using Hudson Rock's free lookup tool (search "Hudson Rock FortiBleed lookup").
What to Do Right Now
CISA's June 19 advisory is explicit about priority order. Work through this list today, not this week.
- Terminate all active sessions. Kill every SSL VPN and management session immediately. This doesn't fix the underlying issue, but it evicts any attacker currently using a stolen credential.
- Rotate every credential. Change all FortiGate administrator passwords, all SSL VPN account passwords, and any shared credentials that touch these devices. If your device ran a pre-patch FortiOS version at any point, treat every existing password as compromised.
- Upgrade and force PBKDF2 rehashing. Update to FortiOS
7.2.11,7.4.8, or7.6.1(or later) — then have each administrator log in interactively after the upgrade. Upgrading without the subsequent login leaves the legacy SHA-256 hashes in place and your credentials still crackable. - Enable phishing-resistant MFA. CISA singles this out above everything else. A leaked password is inert if the attacker cannot complete the second factor. Hardware tokens or FIDO2 keys are preferred over SMS codes.
- Remove management access from the public internet. The management interface of your firewall should never be reachable from arbitrary IP addresses. Restrict it to a management VLAN or a specific trusted IP range.
- Audit for unauthorized accounts and lateral movement. If your device appeared in the dataset — or you cannot confirm it didn't — review authentication logs, look for new admin accounts or policy changes, and check whether any internal systems were reached from the firewall's management plane.
The Harder Lesson
What makes FortiBleed genuinely uncomfortable is how avoidable it was. CVE-2022-40684 was disclosed and patched in October 2022. CVE-2023-27997 in June 2023. CVE-2024-55591 in January 2025. The SHA-256-to-PBKDF2 upgrade requirement is documented in Fortinet's own release notes. None of this was obscure. The campaign succeeded because fixes that existed on paper didn't happen in practice, at scale, across the affected install base.
The FortiBleed dataset is public and growing. Threat actors who weren't part of the original campaign are now working through it opportunistically. The window for getting ahead of this is narrow and closing.
At Falcon Internet, devices in scope for our managed clients are being cross-checked against the FortiBleed dataset this week under our 24x7x365 NOC monitoring. If you manage your own Fortinet hardware, run through the CISA checklist above before you do anything else today.
