FortiBleed: What’s Happening With Victim Organisations

FortiBleed campaign: mass FortiGate config dumps and cracked VPN creds for sale

Understanding the FortiBleed Cyber Threat

The FortiBleed cyber threat is impacting organisations around the world. In the past few weeks, attackers have targeted FortiGate firewalls, exporting device configurations and cracking credential hashes at scale. This update explores what happened, why FortiBleed matters, and what organisations should do to mitigate the risks associated with this ongoing attack.

How FortiBleed Attacks Unfolded

FortiBleed is a widespread cyber incident involving FortiGate firewalls, popular network security devices used by many organisations. Attackers scanned the internet to discover exposed FortiGate devices. Once identified, they logged in—often by exploiting unpatched vulnerabilities or using dormant admin accounts left from prior breaches. The attackers then exported the full configuration of the device. These config files contain hashed credentials for all users, including admin accounts.

Credential Hash Cracking at Scale

After exporting configurations, attackers used powerful rented GPU clusters to crack the password hashes offline. Renting GPU power from cloud providers is now trivial, making large-scale password cracking feasible for threat actors. In this case, the attackers reportedly rented 36 enterprise-grade GPUs, allowing them to turn hashed credentials into plain-text passwords rapidly. These credentials are now being sold online, most notably as FortiVPN credentials, which can enable further follow-on intrusions.

Evidence of Compromise Across Thousands of Devices

Open directories uncovered in the attacker’s infrastructure revealed logs of successful logins and full configuration dumps from thousands of FortiGate firewalls. While only about 1,000 organisations were confirmed to be internally compromised, evidence shows the attackers logged into and exported configurations from tens of thousands of devices. This means many organisations may still face risks from dormant backdoors or resold credentials.

  • Attackers scanned for FortiGate devices online
  • Logged in using vulnerabilities or backdoor admin accounts
  • Exported full device configurations containing credential hashes
  • Cracked hashes with rented GPU clusters
  • Resold credentials for VPN access and further attacks

Why FortiBleed Matters to Organisations

The FortiBleed campaign highlights several critical cybersecurity issues for organisations. Firstly, it demonstrates how attackers use automation and cloud resources to compromise devices at scale. With the ability to rent enterprise-level GPU clusters by the hour, attackers can crack vast numbers of passwords quickly, making password hashes a weak defence if device configurations are stolen.

Risks of Dormant Admin Accounts and Backdoors

One significant finding from FortiBleed is the widespread presence of dormant admin accounts on compromised devices. In many cases, these backdoor accounts were created during previous breaches, often by ransomware groups, and left active for future access. Attackers can use these accounts to regain access even after an initial compromise is remediated. This increases the risk of persistent threats inside organisational networks.

Potential for Widespread Follow-On Attacks

With thousands of FortiGate credentials now in the hands of cybercriminals, there is a high risk of follow-on intrusions. These credentials are actively being resold on cybercrime forums, enabling other threat actors to access victim networks. Organisations that rely on FortiGate firewalls for remote access, such as VPNs, are particularly exposed if compromised credentials are not changed quickly.

  • Loss of control over network perimeter
  • Exposure of sensitive data
  • Risk of ransomware or further breaches
  • Increased challenge to detect dormant attackers

What Organisations Using FortiGate Should Do Now

Given the scale and sophistication of FortiBleed, immediate action is required for any organisation using FortiGate devices. Proactivity and vigilance are essential to contain potential threats and prevent further compromise.

Steps for Detection and Remediation

  • Review FortiGate Logs: Check system event logs for configuration export messages. Filter for ‘config’ related events to see if your device’s config was exported.
  • Reset All Credentials: Change all passwords for users and administrators. Do not rely on existing credentials, as they may have been cracked and leaked.
  • Audit for Dormant or Unauthorised Accounts: Review all admin accounts on your FortiGate device. Remove any unrecognised or unused accounts, especially those not created by your own IT team.
  • Patch and Update: Apply the latest FortiOS security patches. Ensure all known vulnerabilities are addressed to prevent further exploitation.
  • Monitor for Unusual Access: Watch for suspicious logins, especially from unexpected IP addresses or at unusual times. Look for any use of exported credentials.
  • Rotate VPN Credentials: If your organisation uses FortiGate for VPN access, rotate all VPN user credentials and consider implementing multi-factor authentication (MFA) if not already in place.

Long-Term Defensive Measures

  • Implement Strong Authentication: Enforce strong password policies and use multi-factor authentication for all remote access.
  • Restrict Admin Access: Limit admin access to trusted IP addresses and monitor for new admin account creation.
  • Regularly Audit Configurations: Schedule periodic audits of all device configurations and admin accounts to spot anomalies early.
  • Educate IT Teams: Ensure IT staff are aware of current threats and trained on best practice for device hardening and incident response.

Conclusion: FortiBleed Underscores the Need for Proactive Security

The FortiBleed incident is a stark reminder that attackers are leveraging automation and cloud resources to breach organisations at scale. The exposure of thousands of FortiGate configurations and the cracking of credentials show that even robust security technology can be undermined if not maintained and monitored vigilantly.

Organisations must act swiftly to review their FortiGate exposure, reset credentials, and audit for unauthorised access. By combining immediate remediation with long-term improvements in device management and authentication, it is possible to reduce the risk of future breaches.

Originally reported by doublepulsar.com.

Share this bulletin

About the Author

Headshot of Jonny Pelter, leading cyber security expert in the UK and CISO

Jonny Pelter

Partner

  • CIPM
  • CIPP/E
  • CISSP
  • CISM
  • CRISC
  • ISO27001
  • Prince2
  • MSc
  • BSc

Jonny Pelter

Jonny is a Founding Partner at CyPro and executive group level CISO who has worked closely with the British intelligence agencies NCSC and GCHQ.

An ex-professional rugby player and originating from KPMG and Deloitte, Jonny has a wealth of experience across numerous sectors including technology, critical national infrastructure, financial services, oil & gas, insurance, betting, pharmaceuticals and utilities.

Jonny is a leading cyber security expert in the UK, having featured on national media for his professional commentary such as BBC News, iPlayer, Telegraph and Times Radio.

View Profile
Back to Bulletins
Author
Headshot of Jonny Pelter, leading cyber security expert in the UK and CISO
Jonny Pelter
Category
Published
Jun 19 - 2026
Post Tags
  • credential theft
  • cyber attacks
  • fortibleed
  • fortigate
  • incident response
Cypro firewall showing robust network security
Secure your business.
Elevate your security, accelerate your growth. We take care of cyber security for high-growth companies, at every stage of their journey.
Get in touch
CyPro Cookie Consent

Hmmm cookies...

Our delicious cookies make your experience smooth and secure.

Privacy PolicyOkay, got it!

We use cookies to enhance your experience, analyse site traffic, and for marketing purposes. For more information on how we handle your personal data, please see our Privacy Policy.

Schedule a Call