FortiBleed: When VPN Credentials Become Everyone’s Problem
CISA warned Fortinet customers about FortiBleed, a large-scale campaign targeting internet-facing FortiGate devices. As of 19 June 2026, 86,644 devices were reportedly compromised. Attackers appear to be using leaked, weak and reused credentials, along with automated spraying against Fortinet remote login endpoints. The campaign has affected telecom, government and education sectors, with exposure across many countries. Recommended actions include terminating sessions, resetting VPN and administrator passwords, enabling phishing-resistant MFA, upgrading FortiOS and restricting external management access.
Fortinet customers have been warned about FortiBleed, a large-scale campaign targeting internet-facing FortiGate firewalls and VPN gateways. The reported numbers are not small: more than 86,000 devices were said to be compromised as of 19 June 2026.
This is not simply a case of a single clever exploit. The campaign appears to involve credential stuffing, password spraying and reuse of old or weak credentials. In other words, attackers are doing what attackers do best: trying known passwords at scale and waiting for poor hygiene to do the rest.
SOCRadar reported that generic admin accounts and built-in Fortinet system accounts made up a large portion of compromised credentials. That strongly suggests many organisations are still leaving default-style accounts in place or failing to rotate credentials properly.
The attackers are believed to scan the internet for exposed Fortinet login portals, test curated credential lists, and then use compromised appliances to monitor traffic and gather more credentials. It is cybercrime’s version of a loyalty scheme: compromise one gateway, collect points, compromise more.
CISA and Fortinet recommend urgent defensive action. Terminate active VPN and admin sessions, reset all relevant credentials, enforce strong password policies, enable phishing-resistant MFA, upgrade to supported FortiOS versions and restrict external management access.
Most importantly, do not leave firewall administration open to the internet unless you absolutely need to. And if you do, make sure it is locked down tighter than the biscuit tin in a busy office.