Fortinet Warns FortiBleed Campaign Exploits Weak Passwords, Not New Bugs

Fortinet has confirmed that a large-scale credential-harvesting campaign targeting its firewalls and VPNs, tracked as FortiBleed, does not exploit any new vulnerabilities. The company said threat actors reused credentials from previous incidents and used brute-force techniques against devices with weak password hygiene and no multi-factor authentication (MFA).

As part of the campaign, attackers compiled a database of over 86,000 confirmed working credentials for Fortinet devices in 194 countries, according to SecurityWeek. The U.K. National Cyber Security Centre (NCSC) has also released guidance for affected customers.

FortiBleed leverages old flaws and AI automation

Fortinet said the prior incidents that supplied the reused credentials involved the exploitation of three FortiCloud SSO login authentication bypass security defects: CVE-2026-24858, patched in January, and CVE-2025-59718 and CVE-2025-59719, addressed in December. The company provided detailed guidance at the time of those advisories and continues to urge customers to ensure remediation steps are completed.

In March, Fortinet warned that threat actors were using AI to automate target identification and password spraying in large-scale attacks against poorly protected edge devices. FortiBleed uses the same techniques, not a new Fortinet vulnerability. The company stated that this activity is not related to any recent incident or advisory.

• Fortinet has identified the potentially compromised systems and started notifying impacted customers.
• The company is working with law enforcement to investigate the attacks.
• Customers with compromised FortiGate instances should terminate admin and VPN sessions, rotate credentials, and implement MFA on all administrator and VPN user accounts.
• Fortinet recommends upgrading to software releases that support PBKDF2 hashing of administrator credentials.
• Customers should review firewall and VPN user accounts and configurations for unauthorized changes, check logs for unexpected admin access, and restrict external management to trusted hosts.

Broader implications for edge device security

The FortiBleed campaign underscores the persistent risk posed by weak credential hygiene and the reuse of passwords from previous breaches. The NCSC's involvement highlights the scale of the threat, which affects devices in nearly every country. Fortinet's response focuses on customer notification and remediation rather than patching new flaws, because the attack vector is old: stolen credentials and brute force.

Going forward, Fortinet customers should prioritize enabling MFA, using strong unique passwords, and applying all available patches for the three SSO bypass vulnerabilities. The company continues to monitor for related activity and will update guidance as the investigation progresses. Organizations that have not yet rotated credentials or reviewed logs should do so immediately.