FortiBleed is the most dangerous kind of breach because there is nothing to patch. A Russian-speaking threat group harvested configuration files from internet-facing Fortinet FortiGate firewalls, cracked the stored password hashes, and assembled a database of verified working administrator credentials for roughly 86,000 devices across 194 countries, about half of all Fortinet firewalls exposed to the internet. CISA issued an emergency alert on June 18, 2026. The critical detail, and the one that makes this worse than a typical zero-day, is that FortiBleed exploits no software vulnerability. There is no fix to install. Every affected organization has to assume its credentials are already in enemy hands.
- Researchers found verified working admin credentials for roughly 86,644 FortiGate devices across 194 countries, near half of all internet-facing Fortinet firewalls.
- FortiBleed exploits no CVE: attackers cracked weakly hashed credentials from exposed config files, so there is no patch that closes it.
- The campaign ran an estimated 1.16 billion credential attempts against more than 320,000 FortiGate targets, cracked on a 45-GPU cluster.
- CISA's June 18 alert urges resetting all VPN and admin passwords, enabling phishing-resistant MFA, and removing management interfaces from the public internet.
What actually happened
The incident surfaced on June 13, 2026, when researcher Volodymyr "Bob" Diachenko discovered an exposed attacker server hosting a growing database of validated FortiGate credentials alongside automated attack tooling. What he found described a methodical, large-scale operation: roughly 1.16 billion credential attempts against 320,777 FortiGate targets, plus 2.1 billion attempts against more than 163,000 Microsoft SQL Server systems, with intercepted SSL VPN authentication hashes cracked on a 45-GPU cluster managed through Hashtopolis. By June 19 the confirmed count had reached about 86,644 unique devices. Independent researchers, including Kevin Beaumont, verified that credentials in the dataset were genuine and that most affected devices remained online. CISA issued an emergency advisory on June 18, the UK's NCSC published a global warning, and Fortinet's own incident response team posted guidance, all within a six-day window.
RelatedMicrosoft Just Shipped Its Largest Patch Tuesday Ever, and That Is Not Good News
Why is a breach with no patch so much worse?
Most critical security incidents follow a familiar script: a vulnerability is disclosed, a patch ships, and defenders race to apply it before attackers exploit it. FortiBleed breaks that script entirely. The attackers did not exploit a coding flaw; they took configuration files exposed by weak operational hygiene, extracted the credential hashes inside, and cracked them offline. There is no software defect to fix, which means the usual defensive reflex, patch and move on, does nothing. The only remedy is the painful, manual work of treating every credential as burned: rotating all VPN and administrative passwords, forcing every admin to re-authenticate, and removing management interfaces from the public internet. A patch you can push in an afternoon. A full credential rotation across thousands of edge devices, verified one by one, is the kind of project that takes weeks and that overstretched security teams routinely defer, which is exactly why so many devices remain exposed.
The mechanism most coverage skips
The firewall compromise is only the entry point. Once attackers had administrative access to a FortiGate device, they used packet sniffing to intercept network traffic flowing through it, harvesting NTLM and Kerberos authentication hashes for users across the entire environment. That turns a single edge-device compromise into a foothold for taking over an organization's internal identity system, because any Active Directory account whose hash crossed that firewall could potentially be cracked and reused. This is the part that should keep defenders up at night: rotating the firewall credentials closes the front door, but if attackers already sat on the device sniffing traffic, they may hold the keys to half the internal network. The consequences have already been severe, with organizations across Japan, Taiwan, Vietnam, Iraq, and Turkey described as fully compromised, including a Turkish NATO defense contractor from which classified documents were allegedly stolen.
Who this affects
Any organization running an internet-facing Fortinet firewall or VPN gateway is in scope, and that population is enormous, spanning government agencies, defense contractors, and private companies across 194 countries. Fortinet's position is that the activity stems from credential reuse and brute force against devices with weak password hygiene and no multifactor authentication, and that it is "not related to any recent incident or advisory." That framing is technically defensible and beside the point: whether or not it is Fortinet's fault, tens of thousands of real organizations have working credentials in an attacker's database right now. The deeper pattern is the relentless targeting of network edge devices, the firewalls and VPNs that sit at the perimeter, because compromising one of them yields a vantage point over everything behind it.
RelatedA Self-Spreading Worm Is Eating the Open-Source Supply Chain. Its Name Is Shai-Hulud.
What is next
CISA's mitigations are unambiguous: terminate all SSL VPN and administrative sessions, reset every VPN and admin password, enable phishing-resistant MFA, restrict management interfaces from the public internet, and audit logs for unauthorized access and lateral movement. For the underlying hash weakness, CISA advises upgrading to FortiOS 7.2.11, 7.4.8, or 7.6.1 or later to enable PBKDF2 hashing, but with a catch: the upgrade alone does not replace existing hashes, so each administrator must log in again to swap their legacy hash for a stronger one. Watch how many devices actually get remediated, because the grim lesson of past edge-device campaigns is that a large fraction never do. The credentials do not expire on their own.
Our take
FortiBleed is a reminder that the hardest security problems are operational, not technical. There was no clever exploit here, no novel vulnerability, just weak hashing, exposed management interfaces, and missing MFA at scale, harvested by a patient adversary with a GPU cluster. The absence of a patch is precisely what makes it so dangerous, because it cannot be solved by the one reflex most organizations have practiced. The fix is unglamorous and slow: rotate everything, assume the worst about lateral movement, and get the management plane off the public internet for good. Tens of thousands of organizations now have to do that work under the assumption that they have already been inside. The ones that treat this as a patch-it-later advisory are the ones who will read about themselves next.
Reporting via BleepingComputer, analysis by GenZTech.