FortiBleed: 30,791 Fortinet Firewalls Compromised in Global Credential Heist

Your firewall is supposed to keep attackers out. Yet a sweeping new campaign turns that assumption on its head. The FortiBleed campaign has handed criminals working logins for tens of thousands of Fortinet devices. According to threat intelligence firm SOCRadar, the haul covers 30,791 firewalls and VPN gateways across 194 countries. Worse still, the operation is active right now.

Inside the FortiBleed Campaign

SOCRadar uncovered the operation after spotting an exposed attacker server. That server held far more than stolen passwords. It contained the tools, the automation, and a verified victim database. In the firm’s words, “These are not random guesses.” Instead, they are “verified, working usernames and passwords,” tested around the clock.

The scale is staggering. SOCRadar counted 21,108 unique IP addresses and 8,316 unique domains. Banks, hospitals, telecoms, universities, and government agencies all appear in the list. Telecom alone accounts for 5,616 entries. Governments add 591 entries across 111 domains. Moreover, enterprises above $1 billion in revenue make up over 20% of all records.

A Machine That Feeds Itself

What makes this Fortinet credential leak so dangerous is its automation. The attackers scan the internet for Fortinet devices. Then they test a curated password list against each one. Every successful login gets recorded. Next, the compromised device becomes a silent listening post.

From there, it harvests fresh credentials from passing traffic. Those new passwords flow back into the scanner. Consequently, each breach fuels the next one. “The system feeds itself,” SOCRadar warns.

Old Passwords, New Victims

Crucially, the password list is not random. It draws on credentials leaked in earlier Fortinet incidents. Therefore, organizations that never rotated old passwords remain easy prey. Generic admin and built-in system accounts dominate the dataset. That pattern reveals a widespread failure to rename factory credentials. As a result, attackers often skipped brute force entirely.

A Truly Global Footprint

The FortiBleed campaign respects no borders. India and the United States together account for nearly a third of all entries. The attack also reached Asia, Latin America, Europe, the Middle East, and Africa. Port 443 saw the most hits, since it serves Fortinet SSL VPN by default. Yet the scanner also swept non-standard ports like 4443, 8443, and 10443.

Not a Vulnerability, But Still Critical

Despite the dramatic name, FortiBleed is not a software flaw. SOCRadar found no evidence of an exploited Fortinet vulnerability. Fortinet agrees, describing the data as a reshare of past incidents plus credential bruteforcing. In short, this is a credential reuse problem rather than a zero-day.

Still, the danger is real. Initial access brokers may now resell these logins to ransomware crews. SOCRadar rates the campaign Critical and urges immediate action. The firm even tells affected users to “treat your network perimeter as already compromised.”

Who Is Behind It?

Attribution remains ongoing. However, the tooling and victim selection point to Russian-speaking threat actors. Targeting also leans heavily toward NATO member states. Recovered files even included credentials for a likely defense-industry VPN endpoint. So a geopolitical motive may sit alongside plain financial gain. Independent researchers have separately confirmed the leaked data is genuine.

What You Should Do Now

The advice is simple but urgent. First, change every password on every Fortinet device today. Next, enable two-factor authentication on all admin and VPN accounts. Then review login history for unfamiliar access. Above all, keep management interfaces off the public internet.

SOCRadar has also published a free exposure checker. So defenders can quickly see whether their IPs or domains appear in the dataset. Even organizations not yet listed should rotate credentials and assume scanning continues.