A coordinated credential harvesting campaign has compromised 86,644 FortiGate firewalls across 194 countries, demonstrating that the perimeter firewall fleet faces a systematic, credential-based attack model that extends far beyond any single vulnerability disclosure.
On June 18, 2026, CISA issued an alert urging immediate hardening of Fortinet devices following reports of widespread credential exposure across the FortiGate fleet. The campaign, tracked as “FortiBleed” by security researchers, represents one of the largest coordinated attacks against enterprise perimeter infrastructure ever documented.
The scale alone demands attention: 86,644 devices across 194 countries. But the methodology is what security leaders should study. FortiBleed is not a traditional exploit chain. It is a credential logistics operation that combines infostealer logs, historical breach dumps, and automated validation into a systematic harvesting pipeline.
How FortiBleed Operates
The campaign’s attack model follows a multi-stage process that leverages existing credential exposure rather than discovering new vulnerabilities:
Stage 1: Credential aggregation. Attackers compiled credentials from infostealer malware logs and earlier breach dumps, building a database of potentially valid FortiGate administrative credentials. The volume suggests access to commercial infostealer-as-a-service platforms where credential logs are traded at scale.
Stage 2: Automated validation. Compiled credentials were tested against internet-facing FortiGate management interfaces using automated tooling. The testing infrastructure was distributed across multiple hosting providers to avoid rate-limiting and IP-based blocking.
Stage 3: Passive harvesting. Once valid credentials granted access, attackers established persistent monitoring positions that passively harvested VPN traffic traversing compromised devices. This stage represents the actual intelligence collection objective, rather than the initial access phase.
The CVE-2026-24858 Connection
The campaign connects to CVE-2026-24858, a FortiCloud SSO authentication bypass vulnerability with a CVSS score of 9.8, disclosed in January 2026. This critical flaw allowed unauthorized access to FortiCloud-connected devices without valid credentials. While Fortinet patched the vulnerability, the exposure window created a secondary credential harvesting opportunity: attackers who exploited CVE-2026-24858 before patching could extract stored credentials from compromised devices, feeding those credentials back into the FortiBleed validation pipeline.
A contributing factor identified in the campaign: legacy SHA-256 password hashing on older FortiOS builds. Modern password hashing standards (PBKDF2, bcrypt, Argon2) incorporate computational cost functions that make credential validation slow and expensive. SHA-256 without such functions allows rapid offline validation of harvested credential databases.
Why Scale Changes the Threat Category
Individual firewall compromises are routine security events. A coordinated campaign affecting 86,644 devices across 194 countries is a different category of threat. At this scale, the FortiBleed operators have constructed what amounts to a distributed surveillance infrastructure spanning the global enterprise perimeter.
The geographic distribution (194 countries) indicates that this is not a targeted campaign against specific sectors or nations. It is an opportunistic, infrastructure-scale operation. Every organization running internet-facing FortiGate devices with credential reuse exposure is within the target set.
For defenders, the uncomfortable implication is that perimeter security infrastructure itself has become the attack surface. The devices organizations deploy to protect their networks are, at scale, the entry points that adversaries are systematically exploiting.
What This Means for the Security Leader
FortiBleed demonstrates that credential-based attacks against perimeter infrastructure now operate at industrial scale. The attack model is not novel, but its systematic application across nearly 90,000 devices reveals an adversary capability that treats the global firewall fleet as a single, addressable target.
The strategic concern: patching CVE-2026-24858 addresses one entry point but does not address the underlying credential exposure that FortiBleed exploits. Organizations may have patched the SSO bypass while leaving valid administrative credentials in circulation across infostealer marketplaces.
Immediate Defender Actions
- Rotate all FortiGate administrative credentials immediately, regardless of whether your devices show signs of compromise. Assume that credentials have been harvested if your organization has experienced any infostealer infections in the past 24 months.
- Enforce PBKDF2 password hashing. Audit FortiOS builds for legacy SHA-256 hashing and upgrade to configurations that enforce modern key derivation functions.
- Patch CVE-2026-24858 if not already applied. The January 2026 disclosure has a CVSS 9.8 score and a known exploitation path into the FortiBleed pipeline.
- Audit for unauthorized access patterns. Review administrative login logs for authentication from unexpected geographic locations or hosting provider IP ranges.
- Restrict management interface exposure. FortiGate administrative interfaces should not be accessible from the public internet. Implement jump-box or VPN-only access to management planes.
- Monitor for passive VPN traffic interception. If credentials were compromised, attackers may have established monitoring positions. Audit VPN session logs for anomalous concurrent sessions or sessions from infrastructure hosting providers.
Source: CISA Alert: Hardening Fortinet Devices After Reports of Credential Exposure (June 18, 2026)