What happened
A Russian-speaking initial access broker is assessed to be behind FortiBleed, a large-scale credential-harvesting operation targeting FortiGate firewalls worldwide.
The campaign has been active since February 2026 and targeted more than 430,000 FortiGate firewalls globally. The operation involved collecting credential lists, identifying exposed services, brute-forcing accessible systems, and deploying custom sniffers on compromised firewalls.
The central tool in the campaign is a Golang-based utility called FortigateSniffer. It abuses FortiOS’s built-in diagnostic packet-sniffing command to passively capture authentication traffic from compromised appliances. The tool can monitor traffic across 24 protocols, parse authentication data, and extract credentials.
Once deployed, the sniffers capture cleartext credentials and hashed credentials from traffic passing through compromised devices. The attackers then crack, validate, and reuse those credentials against Active Directory domains and other exposed services.
The campaign appears to focus heavily on small and medium-sized businesses with fewer than 200 employees. The IT services sector was a key target, likely because compromising service providers can create downstream access paths into customer environments.
FortiBleed also appears to be part of a broader multi-vendor initial access operation. The attackers did not only target Fortinet devices. They also targeted Synology NAS, Sophos firewalls, RDWeb portals, Citrix SSL-VPNs, and Microsoft SQL Server systems through automated brute-forcing.
Researchers at SOCRadar estimated that the attackers launched at least 659 credential-harvesting pipelines on May 31 and June 15, 2026. Those pipelines identified more than 110 million credentials, including RADIUS credentials, NTLM hashes, Kerberos hashes, and MySQL authentication tokens.
The operation followed a five-stage process: identifying internet-facing FortiGate devices, compromising them through credential stuffing and dictionary attacks, deploying FortigateSniffer through SSH, cracking captured hashes, and using stolen credentials for lateral movement, Active Directory enumeration, data exfiltration, and persistent access.
Who is affected
Organizations using FortiGate firewalls are directly affected, especially those with internet-facing appliances, exposed administrative panels, SSL-VPN portals, weak or reused credentials, and insufficient monitoring of firewall-level activity.
Small and medium-sized businesses appear to be a major target group. IT services providers are especially relevant because one compromised provider can create access opportunities into multiple customer environments.
Organizations using other internet-facing systems may also be affected because the campaign was part of a broader operation targeting Synology NAS, Sophos firewalls, RDWeb portals, Citrix SSL-VPNs, and Microsoft SQL Server systems.
The exposed credentials could affect downstream systems beyond the firewall itself, including Active Directory domains, exposed services, network shares, and services protected by reused credentials.
Why CISOs should care
FortiBleed shows how perimeter devices can become credential-harvesting platforms. Once attackers compromise a firewall, they can use built-in diagnostic capabilities to capture authentication traffic moving through the device instead of relying only on stolen password lists.
For CISOs, the biggest concern is credential reuse and downstream access. The attackers captured and cracked credentials, then reused them against Active Directory and other exposed services. That means a firewall compromise can become an enterprise-wide identity compromise.
The targeting of IT services providers also matters. If attackers prioritize service providers, the impact can extend beyond one company’s network into customer environments. This makes vendor security, managed service provider access, and shared administrative credentials critical exposure points.
The operation also reinforces the risk of treating firewall compromise as a single-device incident. If sniffers captured credentials, security teams need to assume that accounts, hashes, session cookies, and downstream systems may also be compromised.
3 practical actions
- Rotate FortiGate, VPN, and downstream credentials after suspected exposure: FortiBleed captured cleartext and hashed credentials from traffic passing through compromised devices. CISOs should rotate firewall administrator passwords, VPN credentials, Active Directory accounts, service accounts, and any credentials reused across exposed services.
- Harden internet-facing firewall and VPN access: The campaign relied on exposed FortiGate systems, credential stuffing, dictionary attacks, and SSH access. Security teams should restrict management interfaces, disable unnecessary remote access, enforce multifactor authentication, and monitor failed login patterns across firewall and VPN services.
- Hunt for packet sniffing, credential reuse, and lateral movement: The attackers deployed sniffers, cracked hashes, reused credentials, and performed Active Directory enumeration. Organizations should review firewall activity, SSH access, diagnostic command usage, authentication logs, unusual domain logins, network share access, and signs of persistent authenticated access.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.