FortiBleed: Anatomy of a 110-Million-Credential Harvesting Campaign

Key Takeaways

• Between February and June 2026, a financially motivated, Russian-speaking initial access broker (IAB) known as “SantaAd” targeted more than 430,000 internet-facing FortiGate devices and successfully harvested credentials from 73,932 to 86,644 verified compromised systems, capturing in excess of 110 million credentials across 194 countries [1][10].
• The attacker weaponized a legitimate FortiOS diagnostic command—diagnose sniffer packet—by deploying a custom Golang tool called FortigateSniffer on compromised devices, effectively turning each firewall into a passive credential-collection node on its own network [2][3].
• Three Fortinet authentication bypass vulnerabilities provided the initial footholds: CVE-2025-59718 and CVE-2025-59719 (both patched January 26, 2026) and CVE-2026-24858, a critical authentication bypass disclosed January 27, 2026, and patched in FortiOS 7.4.11—exploited against devices left unpatched more than 30 days after patch availability [4][5].
• FortiBleed is not a standalone Fortinet incident. The same campaign infrastructure simultaneously targeted 336,583 Synology NAS devices, 247,584 Sophos firewall portals, and over 163,650 MSSQL servers using automated brute-force pipelines [6].
• CISA issued a formal advisory on June 18, 2026, urging immediate session termination, full credential rotation, mandatory phishing-resistant MFA, and removal of management interfaces from internet exposure [7].
• Verified credentials belonging to Samsung, Siemens, Foxconn, Oracle, government agencies, and at least one NATO-aligned defense contractor appeared in the exposed dataset, with at least one Turkish defense contractor confirmed to have had 105 GB of sensitive data exfiltrated [8][9].

Background

On June 15, 2026, researcher Volodymyr “Bob” Diachenko flagged an exposed directory on what appeared to be an attacker-controlled server [10]. What initially resembled a routine credential dump quickly revealed itself as the operational infrastructure for a months-long, highly automated credential harvesting campaign targeting some of the world’s most widely deployed enterprise security appliances. The SOCRadar Threat Research Unit (STRU), alerted by Diachenko’s discovery, subsequently mapped more than 260 operation servers and reconstructed the campaign’s full anatomy [10].

The operation, now publicly designated FortiBleed, had been active since at least February 28, 2026. FortiGate firewalls—deployed by hundreds of thousands of enterprises, government bodies, and critical infrastructure operators as primary perimeter security controls [1]—were the campaign’s central target. Three Fortinet authentication bypass vulnerabilities, all disclosed or actively exploited in January 2026, gave attackers the administrative footholds needed to pivot from external exploitation to persistent internal collection.

Fortinet’s Product Security Incident Response Team (PSIRT) was explicit in its public response: FortiBleed does not represent a new FortiOS vulnerability [11]. Rather, the campaign exploited previously known weaknesses and, in many cases, weak or reused administrative credentials. Once inside, attackers did not deploy destructive malware or behave conspicuously [3][11]. Instead, they turned the firewalls’ own built-in diagnostic capabilities against the organizations that owned them—a technique that security researchers characterize as living off the land, in which an attacker’s primary tools are the legitimate utilities already present in the target environment.

Security Analysis

Campaign Timeline and Attribution

The FortiBleed campaign unfolded across three identifiable phases. The first phase, spanning late February through April 2026, involved large-scale automated reconnaissance and initial compromise. Attackers used tools including Masscan and Shodan to identify internet-exposed FortiGate devices [2], then systematically tested those devices against curated lists of known default and previously leaked passwords. Devices vulnerable to CVE-2025-59718, CVE-2025-59719, or CVE-2026-24858—all involving abuse of Fortinet’s FortiCloud SSO mechanism—were accessible even without a prior password. CVE-2025-59718 and CVE-2025-59719 allowed unauthenticated remote attackers to bypass authentication via crafted SAML responses against FortiOS, FortiProxy, FortiWeb, and FortiSwitchManager; both were patched January 26, 2026 [5]. CVE-2026-24858, disclosed January 27, 2026, introduced a further critical bypass allowing any attacker with a FortiCloud account to authenticate to devices registered to other accounts, affecting FortiAnalyzer, FortiManager, FortiOS, FortiProxy, and FortiWeb [4].

The second phase, running from roughly April through May 2026, involved deploying FortigateSniffer on compromised devices and allowing it to accumulate credentials passively over time. The third phase involved aggregating and monetizing the harvest: credentials from approximately 73,932 to 86,644 verified FortiGate systems were collected across 21,632 domains before the dataset was exposed [10][12].

Attribution points consistently to a financially motivated, Russian-speaking IAB. Cyrillic-alphabet comments appear within the FortigateSniffer tooling [3], and the sniffer was configured to operate exclusively between 07:00 and 18:00 Moscow Time—an operational security choice that analysts interpret as designed to blend credential-collection activity with legitimate business-hours network traffic, and consistent with an operator maintaining a conventional work cadence rather than running continuous automated processes [2][3]. The IAB, operating as “SantaAd,” subsequently auctioned access to approximately 7,000 Fortinet devices starting at $25,000, with prices climbing to $60,000 following public reporting about the campaign [9]. Recorded Future’s Insikt Group confirmed that at least two distinct threat actors attempted to sell data from the FortiBleed infrastructure, indicating the dataset was itself a tradable commodity [12].

FortigateSniffer: Technical Methodology

The technical centerpiece of the FortiBleed campaign is FortigateSniffer, a Golang-based tool that exploits a fundamental property of FortiOS: the diagnose sniffer packet command, a built-in network diagnostic utility used by network engineers for traffic troubleshooting, is accessible to any authenticated administrator and generates no anomalous alerts in default FortiOS configurations [2]. By invoking this legitimate command programmatically, the attacker’s tool captures raw authentication traffic without introducing foreign kernel modules or unusual processes that endpoint detection tools might flag.

FortigateSniffer simultaneously captures traffic across 24 protocols [3], including NTLM, Kerberos, and RADIUS. The tool routes the raw SSH terminal output through a component called the SNIFTRAN engine, which converts the stream into standard .pcapng packet capture format. The resulting files are then analyzed by a module described in recovered tooling as the PCAP Deep Analysis Toolkit version 5.0, which automatically extracts cleartext credentials, NTLMv2 hashes, Kerberos TGS and AS-REP tickets, and session cookies [3].

The harvested credentials do not simply accumulate as static data. They are fed directly back into the campaign’s scanning and brute-force infrastructure, enabling a self-reinforcing loop in which each newly compromised device contributes credentials that may unlock adjacent systems on entirely different networks, and those systems yield credentials that extend reach further still. The scale this model achieved is visible in the campaign’s final phase metrics: between May 31 and June 15, 2026 alone, attackers launched 659 distinct credential-harvesting pipelines, aggregating the 110-million-credential total [1][10]. The time-window restriction—active only during Moscow business hours—was likely intended to reduce the risk that anomalous off-hours traffic patterns would trigger detection, and implies a deliberate operational discipline across the 260-server infrastructure.

The Multi-Vendor Dimension

Although FortiGate devices were the primary target, STRU’s analysis of exposed attacker servers confirmed that FortiBleed is a component of a wider multi-vendor access campaign that has been running continuously since February 28, 2026. The same infrastructure was brute-forcing 336,583 Synology NAS devices, 247,584 Sophos firewall portals, 163,650 MSSQL servers, Citrix SSL-VPN gateways, and Remote Desktop Web portals [6]. Sophos confirmed the credential brute-force activity against its platforms in a separate security advisory [13].

This breadth carries significant implications for organizational risk assessment. An enterprise that has remediated its FortiGate exposure may remain vulnerable if the same credentials were reused across co-located Sophos devices, cloud storage gateways, or database endpoints that were also targeted in the campaign. The multi-vendor scope underscores that FortiBleed is not a Fortinet-specific problem but a symptom of the systemic risks posed by large-scale automated credential attacks against the full breadth of internet-facing enterprise infrastructure. Milivoj Rajić, head of threat intelligence at DynaRisk, characterized FortiBleed as “the tip of the iceberg” of a broader, systemic edge-device targeting problem in which any internet-accessible administrative interface with credential-based authentication represents a harvesting opportunity, as reported in Bank Info Security [14].

Dark Web Monetization and Impact

The FortiBleed dataset was packaged as an IAB commercial offering, with each verified set of credentials representing a confirmed path into a specific organization’s internal environment. SantaAd’s auction behavior—initiating at $25,000 and raising to $60,000 following public reporting—indicates that public disclosure did not eliminate the market for this access; if anything, it may have accelerated buyer urgency among threat actors seeking to act before organizations rotated their credentials [9].

SpyCloud’s analysis of the exposed attacker infrastructure confirmed that a Turkish defense contractor suffered the exfiltration of over 12,000 files totaling 105 GB, including military maintenance manuals, radio crypto-information, firmware dumps, and field photographs of weapons systems serviced in Ukraine through mid-2026 [8]. A separate NATO-aligned defense contractor was confirmed compromised, with sensitive data exfiltrated following credential reuse [3]. The scope of named organizations present in the FortiBleed dataset—Samsung, Siemens, Foxconn, Oracle, Accenture, DHL, and Infosys, among others—reflects the campaign’s broad opportunistic scanning, with monetization focused on enterprises whose credentials commanded the highest prices [9][10].

The combination of organizational breadth, the IAB’s willingness to sell access to multiple downstream buyers, and the lag time between compromise and detection means that some proportion of the 86,644 verified credentials have likely already been leveraged for follow-on intrusions not yet publicly attributed to the FortiBleed campaign.

OT/ICS and Critical Infrastructure Implications

FortiGate firewalls occupy a distinctive position in many operational technology and industrial control system environments. Fortinet markets the FortiGate line as a converged IT/OT security appliance, with product documentation and deployment profiles covering manufacturing, energy, and defense sectors [16]. Compromise of a FortiGate firewall protecting an OT network does not merely expose enterprise credentials; it may provide an attacker with network-layer visibility into industrial control protocols, SCADA traffic, and engineering workstation communications that flow across the segments the firewall bridges.

The confirmed Turkish defense contractor intrusion illustrates how FortiBleed-derived access can translate directly into operational and national security consequences: exfiltrated documentation included sensitive military technical data, not merely enterprise credentials. Global cybersecurity agencies have issued specific warnings about credential exposure in environments where Fortinet devices serve as the boundary between IT and operational technology networks, reflecting concern about the asymmetric downstream risk that OT-adjacent compromise can create [16]. Organizations operating Fortinet products in OT-adjacent roles should treat FortiBleed as a high-priority incident even in the absence of confirmed compromise, because the campaign’s automation means that absence from a published list of affected devices cannot be treated as evidence that a device was not targeted.

Recommendations

Immediate Actions

All active SSL VPN and administrative sessions on Fortinet devices should be terminated immediately. Every administrative and VPN credential set in use during the February–June 2026 window should be treated as potentially compromised and rotated, prioritizing accounts with internet-facing access. Phishing-resistant multifactor authentication should be enforced across all administrative access paths; CISA specifically recommends hardware-backed mechanisms such as FIDO2 passkeys rather than SMS-based or TOTP approaches, which are vulnerable to real-time adversary-in-the-middle phishing and should be treated as interim controls rather than permanent solutions [7].

Fortinet management interfaces should be removed from internet exposure without delay. CISA’s advisory is explicit: FortiGate management and SSL-VPN endpoints should be accessible only from trusted internal networks or dedicated jump hosts with strict access controls. Any device that cannot immediately be taken off public internet access should be placed behind a restricting network control until remediation is feasible. Organizations should also audit FortiOS credential storage and ensure that administrative passwords are stored using the PBKDF2 hashing algorithm per CISA guidance, rather than the weaker legacy hash formats supported by older FortiOS releases [7].

Short-Term Mitigations

Firmware and software on all affected Fortinet products should be upgraded to the latest available versions. Remediated builds for CVE-2026-24858 include FortiAnalyzer 7.4.10, FortiManager 7.4.10, and FortiOS 7.4.11; organizations running FortiOS versions prior to 7.4.11 with FortiCloud SSO enabled remain at elevated risk [4]. Log review should focus on the following indicators within the June 1–June 21, 2026 window at minimum: configuration file export events destined for external IP addresses, administrator authentication from geographically anomalous locations, new administrator accounts created outside documented change-control workflows, modifications to logging configuration, and outbound connections to unrecognized external IP addresses [7].

Because FortigateSniffer’s design feeds harvested credentials back into the campaign’s scanning infrastructure, organizations should also audit systems adjacent to or reachable from their FortiGate environments—Active Directory, RADIUS servers, and all VPN-reachable endpoints—because credentials captured from passing VPN traffic may unlock those systems independently of whether the FortiGate itself remains compromised.

Strategic Considerations

FortiBleed reflects a broader adversarial pattern in which edge security appliances—the devices organizations deploy specifically to enforce perimeter controls—are being recruited as credential collection infrastructure. When a firewall becomes a surveillance node for its own network, the assumption that perimeter controls alone are sufficient to prevent credential exposure is fundamentally undermined. The multi-vendor targeting visible in this campaign reinforces that this pattern is not specific to Fortinet: any internet-accessible administrative interface that can be reached with a password is a potential harvesting endpoint.

Organizations should evaluate whether their network segmentation and east-west access controls would prevent an attacker holding valid VPN credentials from reaching sensitive internal systems. A credential-based initial access that yields unrestricted lateral movement suggests the trust boundary is the VPN authentication handshake itself, which is precisely the trust assumption Zero Trust architecture is designed to eliminate. A single credential inventory and rotation exercise should span all co-located internet-facing devices—Sophos firewalls, Citrix gateway appliances, Synology NAS, and RDWeb portals were all targeted in this campaign—rather than being limited to the primary vendor named in a given incident.

CSA Resource Alignment

FortiBleed’s core failure mode maps directly to several CSA frameworks. The foundational issue—credential-based implicit trust following perimeter authentication—is the architectural problem that CSA’s Zero Trust guidance addresses. CSA’s published guidance on Zero Trust covers how to eliminate the assumption of trust from VPN-authenticated users and replace it with continuous, context-aware verification that does not rely on the perimeter control remaining intact. The CSA CISO Perspectives series on Zero Trust deployment provides a practitioner-oriented roadmap for organizations at various stages of eliminating credential-based implicit trust.

The CSA AI Controls Matrix (AICM) is directly applicable for organizations that have deployed AI-assisted security operations. FortigateSniffer’s behavior—executing exclusively during business hours, leveraging a legitimate built-in diagnostic command, and producing no novel processes or network signatures in default FortiOS configurations—represents precisely the kind of low-anomaly, living-off-the-land activity that AI-powered behavioral analytics must be tuned to detect. The AICM’s guidance on logging completeness and behavioral baseline establishment directly supports the log-review recommendations in this note.

The CSA Cloud Controls Matrix (CCM) offers specific control domains directly applicable to the FortiBleed remediation priorities outlined above. The CCM’s Identity and Access Management domain addresses credential rotation, MFA enforcement, and privileged account governance. The Infrastructure and Virtualization Security domain covers the management interface exposure practices that CISA’s advisory targets. Organizations using the CSA STAR program for security posture assessment should verify that FortiBleed-related risks are surfaced in their STAR self-assessment or attestation scope, particularly for controls governing privileged access management and network boundary defense.

CSA’s work on identity and access gaps in autonomous AI environments points to an emerging secondary risk worth tracking. As enterprises expand AI agent deployments, future campaigns of this type may increasingly capture service account and non-human identity tokens alongside human user credentials—machine identities that agents use for tool access and system integration. This risk, while not yet confirmed as a material component of the FortiBleed dataset specifically, represents a logical extension of the campaign model as enterprise authentication surfaces grow to include non-human identities at scale.

References

[1] The Hacker News. “FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation.” The Hacker News, June 2026.

[2] BleepingComputer. “FortiBleed campaign used custom FortiGate sniffer to steal credentials.” BleepingComputer, June 2026.

[3] GBHackers. “FortiBleed Campaign Uses FortigateSniffer to Harvest 110 Million Credentials From Fortinet Firewalls.” GBHackers, June 2026.

[4] CISA. “Fortinet Releases Guidance to Address Ongoing Exploitation of Authentication Bypass Vulnerability CVE-2026-24858.” CISA, January 28, 2026.

[5] Rapid7. “Critical vulnerabilities in Fortinet CVE-2025-59718, CVE-2025-59719 exploited in the wild.” Rapid7, December 2025 (updated January 27, 2026).

[6] SecurityWeek. “Russian Initial Access Broker Behind FortiBleed Campaign.” SecurityWeek, June 2026.

[7] CISA. “CISA Urges Hardening Fortinet Devices After Reports of Credential Exposure.” CISA, June 18, 2026.

[8] SpyCloud. “More Than a Leak: What SpyCloud Found Inside the FortiBleed Threat Actor Infrastructure.” SpyCloud, June 2026.

[9] Security Affairs. “FortiBleed: The Broker Who Turned 73,000 Firewalls Into a Product Catalog.” Security Affairs, June 2026.

[10] SOCRadar. “FortiBleed: 86,644 Fortinet Firewalls Compromised — SOCRadar Research.” SOCRadar, June 2026.

[11] SecurityWeek. “Fortinet Responds to FortiBleed Campaign.” SecurityWeek, June 2026.

[12] Recorded Future. “FortiBleed Campaign Exposing Credentials for 73,932 FortiGate Systems.” Recorded Future, June 2026.

[13] Sophos. “FortiBleed Credential Exposure and VPN Bruteforce Campaign.” Sophos Security Advisory, June 2026.

[14] Bank Info Security. “FortiBleed Is ‘Tip of the Iceberg’ of Edge Device Targeting.” Bank Info Security, June 2026.

[15] Arctic Wolf. “Active FortiBleed Campaign Impacting Fortinet Devices Across 194 Countries.” Arctic Wolf, June 2026.

[16] Industrial Cyber. “Global cybersecurity agencies warn of credential exposure in FortiBleed campaign targeting Fortinet firewalls, VPN gateways.” Industrial Cyber, June 2026.