ALERT ESSENTIALS
Researchers have disclosed FortiBleed, a validated trove of working credentials covering 80,000+ internet-facing Fortinet FortiGate and SSL-VPN devices. This is not a vulnerability: there is no CVE and no patch. The credentials are real and still working and have been independently verified. They were assembled from infostealer logs, prior leaks, and cracked SSL-VPN hashes. If you run an internet-facing FortiGate or SSL-VPN, assume you are in scope and rotate every administrative and VPN credential now. Password strength does not help here. Long, complex passwords appear in plaintext because they come from infostealer logs, not from cracking.
THREAT DESCRIPTION
On June 17, 2026, researcher Volodymyr “Bob” Diachenko discovered an exposed attacker server. Hudson Rock analyzed the data and named the campaign, and Kevin Beaumont independently confirmed that the sampled logins are live. The operation ran roughly 1.16 billion login attempts against 320,000+ FortiGate devices, plus a parallel 2.1 billion brute-force attempts against 163,000+ Microsoft SQL servers, recycling each recovered password to reach more devices. SOCRadar verified 30,791 working logins. A critical nuance explains why even recently patched devices appear: Fortinet moved to PBKDF2 password hashing in FortiOS 7.2.11, 7.4.8, and 7.6.1, but devices upgraded from older builds retain the weaker, crackable SHA-256 hashes until each administrator logs in once after the upgrade.
Fortinet states the data is a reshare of prior incidents and brute-forcing, with no new advisory, and SOCRadar found no exploited Fortinet flaw. Beaumont notes the affected IP addresses are largely new compared with the January 2025 Belsen leak, and the data includes config-only fields, pointing to recent configuration-level exfiltration via an unconfirmed path. Treat current exposure, not firmware version, as the measure of risk.
AFFECTED SCOPE
- Internet-facing FortiGate firewalls and SSL-VPN gateways.
- 80,000+ device URLs and 22,000+ domains in the dataset; ~75,000 exposed, 30,791 confirmed working.
- Highest risk: internet-exposed management interfaces, local admin accounts, no MFA, reused credentials, FortiOS upgraded from pre-PBKDF2 builds, and end-of-support FortiOS (6.4 and earlier) that cannot rehash.
HEALTHCARE IMPACT
A FortiGate sits at the network edge, so administrative access gives an attacker trusted-insider control over firewall policy and routing into clinical networks, and hospitals are explicitly named as prized targets. If a compromised device fronts systems where electronic protected health information is reachable, the HIPAA breach-determination clock starts, and a confirmed breach can trigger the HHS OCR 60-day notification window plus applicable state attorney-general timelines. Legacy and biomedical devices behind the firewall often cannot be isolated quickly without affecting patient care, so containment must be sequenced rather than rushed.
RECOMMENDED ACTIONS
Immediate
- Check exposure with the Hudson Rock (infostealers.com) and SOCRadar lookup tools.
- Rotate all administrative, VPN, service, and break-glass credentials. Do not reuse old passwords, regardless of complexity.
- After upgrading FortiOS, have every administrator log in once (or reset via a super_admin account) to force the stronger PBKDF2 rehash.
- Enforce MFA on all SSL-VPN and administrative access. This is the single control that breaks credential replay.
- Remove management interfaces from the public internet; restrict admin access to trusted internal networks.
Detection and hunt
- Review 90 days of FortiGate admin and SSL-VPN logs for impossible travel, unfamiliar geographies, off-hours admin logins, and configuration-export events.
- Audit for backdoor admin accounts, altered trusted-host entries, and unexpected configuration changes.
- Rotate and monitor downstream identity (Microsoft 365, SSO, RDP, Active Directory) — harvested usernames feed credential stuffing.
Admin / Executive
- Treat this as a P1 credential-exposure event. Rotation alone does not evict an attacker already inside. Be sure to pair it with log review and hunting.
- Retire end-of-support FortiOS (6.4 and earlier) that cannot rehash. Migrate or replace, do not just rotate.
- If compromise is confirmed where ePHI is reachable, initiate a HIPAA breach risk analysis and engage counsel before external communication.
Sources
- Fortinet PSIRT advisories: https://www.fortiguard.com/psirt
- SOCRadar – FortiBleed: https://socradar.io/blog/fortibleed-fortinet-firewalls-compromised
- Hudson Rock – FortiBleed: https://www.hudsonrock.com/blog/fortibleed-75000-fortinet-firewalls-compromised-global-enterprises-exposed-claim-your-ethical-disclosure
- Kevin Beaumont – DoublePulsar: https://doublepulsar.com/fortibleed-75k-fortinet-firewalls-have-admin-passwords-cracked-60299faa65f8
- Help Net Security: https://www.helpnetsecurity.com/2026/06/18/fortinet-fortibleed-data-leak
- CISA Known Exploited Vulnerabilities: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
From Fortified Health Security
Fortified Health Security is committed to maturing your healthcare organization’s cybersecurity posture. We will monitor and update this bulletin as the situation progresses.
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
Should you have any questions about this threat or any other issue you are facing, please reach out to us. We’re here to help you on your cybersecurity journey.
Email: connect@fortifiedhealthsecurity.com Phone: 615-600-4002