FortiBleed Campaign Compromises 86,644 FortiGate Devices, CISA Issues Emergency Warning

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on June 19, 2026, urged Fortinet customers to secure internet-accessible FortiGate appliances against a sweeping campaign dubbed FortiBleed, attributed to Russian-speaking threat actors. The attack has compromised 86,644 devices across 194 countries as of that date, according to data from SOCRadar.

Generic admin accounts (35%) and built-in Fortinet system accounts (28.3%) together account for the majority of compromised credentials, SOCRadar reported. Organization-specific accounts make up the remaining 36.7%, indicating the attackers harvested credentials from prior breaches where passwords were never changed.

Attack method and affected sectors

The threat actors mass-scanned the internet for Fortinet remote login endpoints, then used a bespoke tool to spray identified endpoints with known login and password combinations. Once inside, they passively monitored network traffic to collect additional credentials, building a verified database of working logins. The top three impacted sectors are telecom, government, and education, with the most exposures in India, the U.S., Mexico, Colombia, and Thailand.

• Fortinet introduced PBKDF2-based password hashing in FortiOS 7.2.11, 7.4.8, and 7.6.1, but existing administrator passwords remain stored as SHA-256 hashes until the admin logs in post-upgrade.
• The U.K. National Cyber Security Centre described FortiBleed as a global campaign using brute-force, dictionary attack, and credential stuffing methods.
• CISA recommends terminating all active SSL VPN sessions, resetting all Fortinet VPN and administrative passwords, and enabling phishing-resistant MFA.
• The campaign was first discovered by security researcher Volodymyr "Bob" Diachenko, who found a server containing the database of working credentials.

Broader breach landscape

In a separate incident, cybersecurity vendor Huntress disclosed on June 18 that a breach originating at Klue, a market intelligence platform, cascaded into theft of customer data across several connected platforms, including Salesforce. Huntress described it as a "security domino effect" that began with one compromised integration credential. The attack timeline shows the attackers leveraged the initial access to move laterally into Salesforce environments, stealing customer data.

Meanwhile, Texas officials reported that a vendor breach exposed the personal data of approximately 3 million hunting and fishing license holders. The incident, disclosed on June 19, underscores the growing risk of third-party vendor vulnerabilities in government systems. The Texas Parks and Wildlife Department is investigating the breach, which affected residents who purchased licenses through the state's online portal.

Fortinet stated that the data involved in FortiBleed is likely a resharing of data from previous incidents and not related to any current advisory. However, CISA's emergency warning and the scale of compromised devices highlight persistent weaknesses in credential management across enterprise perimeter security appliances.