Back to Blog
Cybersecurity June 23, 2026 5 min read

FortiBleed: 75,000 FortiGate Firewalls Compromised Worldwide — CISA Demands Immediate Action

A large-scale credential-harvesting campaign dubbed FortiBleed has silently compromised tens of thousands of FortiGate firewalls globally. CISA issued an emergency advisory urging all Fortinet customers to rotate credentials immediately.

FortiBleed: 75,000 FortiGate Firewalls Compromised Worldwide — CISA Demands Immediate Action

Between 30,000 and 75,000 FortiGate firewalls are actively compromised. The credentials on those devices are real, verified, and in the hands of attackers right now.

The campaign, dubbed FortiBleed, has been active across 194 countries. Researchers estimate roughly 50% of all internet-reachable FortiGate devices are affected — a staggering blast radius for a campaign that doesn’t rely on a flashy zero-day.

How It Works

FortiBleed doesn’t exploit a novel RCE. It exploits neglect.

Attackers systematically extract configuration files from internet-exposed FortiGate firewalls and crack stored credential hashes. The weakness is architectural: FortiGate historically stored passwords using SHA-256 hashing — a fast hash, trivially brute-forced at scale. Even after Fortinet upgraded its storage mechanism to PBKDF2, legacy credentials remain in an “old-password” field until the administrator actually logs in after the upgrade.

If your team patched FortiOS but didn’t force every admin to log in again, those SHA-256 hashed credentials still exist in config. FortiBleed finds them, cracks them offline, and validates the results with automated scanners running 24 hours a day.

A related vulnerability, CVE-2026-25089 (an OS command injection flaw in FortiSandbox), has been flagged in the same threat intelligence bulletin — suggesting the campaign is part of a broader Fortinet-targeting operation.

Who Is Affected

Any organization running an internet-facing FortiGate firewall or SSL VPN gateway is in scope. That includes thousands of enterprises, government agencies, and critical infrastructure operators worldwide.

CISA’s advisory, published June 18, characterizes the situation as an active threat requiring immediate response — not a patch-and-wait situation.

What You Need to Do Right Now

CISA’s recommended actions, in order:

  1. Terminate all active SSL VPN and administrative sessions immediately.
  2. Rotate every administrator and VPN credential on internet-facing systems. Don’t just reset passwords — revoke and reissue.
  3. Enforce PBKDF2 hashing by requiring all administrators to log in after the latest FortiOS upgrade. This forces the system to discard legacy SHA-256 hashes.
  4. Remove residual SHA-256 hashes using the login-lockout-upon-weaker-encryption setting.
  5. Restrict management interface access to trusted internal networks only. If your FortiGate admin panel is reachable from the public internet, that’s the root cause.
  6. Enable MFA on all administrative accounts.

The Broader Pattern

Fortinet devices have been a persistent target in 2026. FortiClient EMS (CVE-2026-35616) was exploited in June 1 for endpoint manager takeover. FortiSandbox (CVE-2026-39813) began seeing active exploitation on June 15. FortiBleed is the third major Fortinet incident this month alone.

The pattern suggests either a coordinated threat actor or an ecosystem of opportunistic attackers who have learned that Fortinet device operators tend to patch slowly and rotate credentials even more slowly.

If you run FortiGate, the question isn’t whether to act — it’s whether you’ve already been hit.

Sources

fortinet fortigate cybersecurity vulnerability CISA