FortiBleed: How a Massive Credential Harvesting Operation is Targeting Thousands of FortiGate Firewalls
In a concerning development, a Russian-speaking initial access broker (IAB) is behind a large-scale credential-harvesting campaign that has already compromised over 430,000 FortiGate firewalls globally. Dubbed “FortiBleed,” this operation has been active since February 2026, leveraging a combination of tactics to gain unauthorized access to enterprise networks.
The Anatomy of FortiBleed
The FortiBleed campaign primarily involves collecting compromised credential lists, searching for exposed FortiGate services, brute-forcing accessible systems, and deploying custom malware to maintain persistence. The attackers are believed to be driven by financial gain, using the harvested credentials to further infiltrate targeted organizations.
According to the security research, the IAB group behind FortiBleed has demonstrated advanced techniques, including the use of custom tools and scripts to automate the identification and exploitation of vulnerable FortiGate firewalls. These attacks have been observed across a wide range of industries, including finance, healthcare, and critical infrastructure.
The Threat Landscape and Implications
The scale and sophistication of the FortiBleed campaign underscore the growing threat posed by credential-based attacks targeting network infrastructure. In 2026 alone, over 110 million credentials have been compromised through this operation, providing the attackers with a vast pool of potential access points into enterprise environments.
“This is a wake-up call for organizations that rely on FortiGate firewalls,” said Asad Ijaz, a senior cybersecurity analyst at NetworkUstad. “IT teams must prioritize patching, access control, and robust authentication measures to mitigate the risk of such large-scale credential harvesting attacks.”
Recommendations for IT Professionals
To combat the FortiBleed threat, IT professionals should consider the following steps:
- Patch Management: Ensure all FortiGate firewalls are running the latest firmware versions with all critical security updates applied. Regularly monitor vendor advisories for new vulnerabilities.
- Access Controls: Implement strong access controls, such as multi-factor authentication (MFA) and strict password policies, for all FortiGate management interfaces. Limit administrative access to only those who require it.
- Network Segmentation: Leverage micro-segmentation and zero-trust principles to isolate FortiGate firewalls from the rest of the network, reducing the potential impact of a successful compromise.
- Logging and Monitoring: Enable comprehensive logging and monitoring on FortiGate devices to detect suspicious activity, such as brute-force attempts or unauthorized access. Integrate these logs with a security information and event management (SIEM) solution for centralized analysis.
- Incident Response Planning: Develop and regularly test incident response plans to ensure the organization is prepared to swiftly detect, contain, and remediate any FortiBleed-related incidents.
The Bottom Line
The FortiBleed campaign serves as a stark reminder of the ongoing threats facing network infrastructure. IT teams managing FortiGate firewalls must remain vigilant, implement robust security controls, and stay proactive in their defense against such large-scale credential harvesting operations. By taking these measures, organizations can significantly reduce their risk and protect their critical assets from the growing threat landscape.