FortiBleed Unlocked: 86,644 FortiGate Firewalls Are Bleeding Credentials – Here’s How to Stop the Bleed Before Ransomware Strikes + Video

Listen to this Post

Featured Image

Introduction:

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert following the discovery of FortiBleed, a large-scale credential theft campaign that has compromised over 86,644 internet-facing Fortinet FortiGate firewalls and SSL VPN gateways across 194 countries. This is not a traditional vulnerability requiring a single patch—it is an industrialized access-broker operation where Russian-speaking threat actors have harvested, verified, and productized administrative credentials for roughly half of all internet-facing Fortinet devices globally. Organizations must act immediately to terminate sessions, reset credentials, enable phishing-resistant MFA, and lock down management interfaces before ransomware operators purchase this access and execute network-wide compromises.

Learning Objectives:

  • Understand the technical mechanics behind the FortiBleed credential harvesting campaign and why patching alone is insufficient
  • Execute immediate incident response actions including session termination, password rotation, and log review across FortiGate appliances
  • Implement long-term hardening measures including PBKDF2 hash migration, trusted host restrictions, and local-in policies to prevent future credential exposure

You Should Know:

  1. The FortiBleed Attack Chain – Why 86,644 Firewalls Were Compromised Despite Being “Patched”

FortiBleed is not a single exploit but a systematic, multi-stage operation that weaponized a convergence of legacy hashing, unpatched vulnerabilities, and credential reuse. The attack began with mass scanning of 59.3 million hosts to fingerprint approximately 437,000 FortiGate devices. Threat actors then deployed a custom tool with 25,000 simultaneous threads to spray credential combinations against identified remote login endpoints.

The technical epicenter of FortiBleed lies in FortiOS’s legacy SHA-256 password hashing scheme. While Fortinet introduced PBKDF2-based password hashing in FortiOS versions 7.2.11, 7.4.8, and 7.6.1, the re-hashing is not retroactive—it only activates when an administrator logs in post-upgrade. Organizations that patched without forcing re-authentication left legacy SHA-256 hashes in configuration files, susceptible to offline brute-force attacks using modern GPU clusters.

The threat actors intercepted SSL VPN authentication hashes and cracked them using a 45-GPU cluster managed through Hashtopolis, recovering plaintext credentials. Once access was obtained, they passively monitored network traffic using the `diagnose sniffer` command via SSH, turning compromised firewalls into corporate listening posts. The attackers then exfiltrated configuration files containing internal network maps and legacy password hashes, enabling lateral movement into internal Active Directory environments.

According to SOCRadar’s analysis, generic admin accounts (35%) and built-in Fortinet system accounts (28.3%) together make up the majority of compromised credentials, with organization-specific accounts accounting for 36.7%. This points to a widespread failure to rename default accounts or rotate factory credentials, giving attackers a highly reliable target list before any brute force was even needed. The campaign has impacted telecom, government, and education sectors most heavily, with the highest number of exposures located in India, the U.S., Mexico, Colombia, and Thailand.

  1. Immediate Response – Terminate Sessions and Kill Active Tunnels

The first and most critical step is terminating all active SSL VPN and administrative sessions to immediately切断 attacker persistence. Attackers who have already gained access may maintain active tunnels for lateral movement and data exfiltration.

Step-by-Step Guide:

FortiGate CLI – View Active SSL VPN Users:

get vpn ssl monitor

This command displays all active SSL VPN sessions, including usernames, source IPs, and tunnel indices.

FortiGate CLI – Terminate a Specific SSL VPN Tunnel:

execute vpn sslvpn del-tunnel <index>

Replace `` with the tunnel index number from the monitor output.

FortiGate CLI – Terminate All SSL VPN Sessions (Disable SSL VPN):

config vpn ssl settings
set status disable
end

This disables SSL VPN capability entirely, terminating all active connections. For VDOM environments:

config vdom
edit <vdom_name>
config vpn ssl settings
set status disable
end
end

FortiGate CLI – Kill All Administrative Sessions:

execute session kill all

This terminates all administrative GUI and CLI sessions across the device.

Windows Event Log Review – Detect Lateral Movement:

Review Domain Controller security logs for suspicious authentication patterns:

Get-WinEvent -LogName Security | Where-Object { $<em>.Id -in 4624,4625,4672 } | 
Where-Object { $</em>.TimeCreated -gt (Get-Date).AddDays(-30) } | 
Format-Table TimeCreated, Id, Message -AutoSize

Focus on logon type 3 (network) and 10 (remote interactive) from unexpected source IPs.

  1. Reset All Credentials and Enforce Strong Password Policies

CISA mandates resetting all Fortinet VPN and administrative passwords, especially on internet-facing systems. Organizations must assume that all current credentials are compromised and rotate them immediately.

Step-by-Step Guide:

FortiGate CLI – Reset Administrator Password:

config system admin
edit <admin_name>
set password <new_strong_password>
next
end

FortiGate CLI – Enforce Password Policy:

config system password-policy
set status enable
set min-length 12
set require-uppercase enable
set require-lowercase enable
set require-1umeric enable
set require-special enable
set change-week 4
set expire-day 90
end

This enforces a minimum 12-character password with complexity requirements and 90-day expiration.

FortiGate CLI – Force All Administrators to Change Password on Next Login:

config system admin
edit <admin_name>
set force-password-change enable
next
end

Linux/Unix – Check for Compromised Credentials in Breach Databases:
Use `haveibeenpwned` CLI tool to check if domain credentials appear in known breaches:

curl -X GET "https://api.pwnedpasswords.com/range/{first5hash}" -H "hibp-api-key: YOUR_KEY"

Windows – Force Domain Password Reset for All Users:

$users = Get-ADUser -Filter  -Properties PasswordLastSet
foreach ($user in $users) {
Set-ADUser -Identity $user.SamAccountName -ChangePasswordAtLogon $true
}
  1. Enable Phishing-Resistant MFA on All Administrative and Remote Access Accounts

CISA explicitly requires phishing-resistant multifactor authentication on all remote access and administrative accounts. SMS-based or push-1otification MFA is insufficient against sophisticated credential harvesting campaigns.

Step-by-Step Guide:

FortiGate CLI – Enforce MFA for Administrative Access:

config system admin
edit <admin_name>
set mfa-required enable
set mfa-type {fortitoken | fortitoken-cloud | email}
next
end

FortiGate CLI – Enforce MFA for SSL VPN Users:

config vpn ssl settings
set mfa-server {fortitoken | ldap | radius}
set mfa-required enable
end

FortiGate CLI – Configure FortiToken Cloud MFA:

config system fortitoken-cloud
set status enable
set sync-interval 60
end

FortiGate CLI – Require Two-Factor Authentication for All Remote Access Policies:

config firewall policy
edit <policy_id>
set two-factor enable
set two-factor-1otification {email | sms}
next
end

Organizations should prioritize FIDO2/WebAuthn security keys or certificate-based authentication over OTP-based solutions where possible.

  1. Lock Down Management Interfaces and Reduce Attack Surface

CISA emphasizes that firewall administration must be inaccessible from the public internet. Restrict Fortinet management interfaces to trusted internal networks and remove unauthorized accounts.

Step-by-Step Guide:

FortiGate CLI – Restrict Administrator Login to Trusted Hosts:

config system admin
edit <admin_name>
set trusted-hosts <trusted_IP/mask>
next
end

Example: `set trusted-hosts 192.168.1.0/24 10.0.0.0/8`.

FortiGate CLI – Configure Local-In Policies for Granular Management Access Control:

config firewall local-in-policy
edit 1
set intf "wan1"
set srcaddr "trusted_management_subnet"
set dstaddr "fortigate_wan_ip"
set action accept
set service "HTTPS" "SSH" "SNMP"
set schedule "always"
next
edit 2
set intf "wan1"
set srcaddr "all"
set dstaddr "fortigate_wan_ip"
set action deny
set service "HTTPS" "SSH" "SNMP" "HTTP"
set schedule "always"
next
end

Local-in policies are processed before trusted host configurations, providing defense-in-depth.

FortiGate CLI – Disable Unused Administrative Services:

config system interface
edit "wan1"
set allowaccess ping
next
end

Remove https, ssh, snmp, and `http` from the allowaccess list if not strictly required.

FortiGate CLI – Remove or Disable Unauthorized Administrator Accounts:

config system admin
delete <unused_admin_name>
end

Or disable:

config system admin
edit <admin_name>
set status disable
next
end

FortiGate CLI – Disable FortiCloud SSO if Not Required (Mitigates CVE-2026-24858):

config system global
set forticloud-sso disable
end

CVE-2026-24858 is an authentication bypass vulnerability allowing attackers with a FortiCloud account to log into devices registered to other accounts when SSO is enabled. If FortiCloud SSO is not business-critical, disable it immediately.

  1. Migrate to PBKDF2 Password Hashing and Verify Hash Storage

FortiBleed succeeded largely because legacy SHA-256 hashes remained in configuration files. Organizations must ensure all administrator passwords are stored using PBKDF2, not SHA-256.

Step-by-Step Guide:

FortiGate CLI – Verify Current Password Hash Algorithm:

diagnose system admin list

Look for hash prefix: `PB2` indicates PBKDF2; `SHA256` indicates legacy hashing.

FortiGate CLI – Force PBKDF2 Re-Hashing for All Administrators:
The only way to convert legacy SHA-256 hashes to PBKDF2 is to have each administrator log in post-upgrade. Force this by:

config system admin
edit <admin_name>
set password <new_strong_password>
next
end

This resets the password and stores it using PBKDF2 on FortiOS 7.2.11+, 7.4.8+, or 7.6.1+.

FortiGate CLI – Enable PBKDF2 for New Administrator Accounts (FortiOS 7.2.11+):

config system admin
set hash-algorithm pbkdf2
end

Refer to Fortinet’s Technical Tip: Enforcing PBKDF2 as hash function for administrator accounts.

Verify All Administrators Have Logged In Post-Upgrade:

diagnose system admin list

Cross-reference with audit logs to confirm each administrator has authenticated since the upgrade.

Linux – Check for Exposed Configuration Files in Backups:

grep -r "encrypted_password" /path/to/backups/
grep -r "SHA256" /path/to/fortigate/configs/
  1. Review Logs and Hunt for Indicators of Compromise

CISA instructs organizations to review firewall, VPN, authentication, and domain controller logs for lateral movement, unusual access, suspicious accounts, or unauthorized configuration changes.

Step-by-Step Guide:

FortiGate CLI – Enable Comprehensive Event Logging:

config log eventfilter
set event enable
set admin enable
set vpn enable
set user enable
set router enable
next
end

This enables logging of user authentication, VPN, and administrative events.

FortiGate CLI – Display Filtered Log Entries:

execute log filter category 1
execute log display

Category 1 filters for authentication events. Category 4 filters for VPN events.

FortiGate CLI – Search Logs for Specific IP Address or User:

execute log filter destination-ip <suspicious_IP>
execute log display

FortiGate CLI – Export Logs for Offline Analysis:

execute log export

This exports logs to a syslog server or FortiAnalyzer.

Windows – Detect Unusual Administrative Logons (Event ID 4672):

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4672} | 
Where-Object { $<em>.TimeCreated -gt (Get-Date).AddDays(-30) } |
Select-Object TimeCreated, @{N='Account';E={$</em>.Properties[bash].Value}} |
Group-Object Account | Sort-Object Count -Descending

Windows – Detect Unusual VPN Authentication Attempts:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} | 
Where-Object { $<em>.TimeCreated -gt (Get-Date).AddHours(-24) } |
Where-Object { $</em>.Properties[bash].Value -like "VPN" } |
Select-Object TimeCreated, @{N='User';E={$<em>.Properties[bash].Value}}, @{N='SourceIP';E={$</em>.Properties[bash].Value}}

Linux Syslog – Check for Unusual SSH Access:

grep "Accepted password" /var/log/auth.log | awk '{print $1,$2,$3,$9,$11}' | sort | uniq -c | sort -1r

This identifies the most frequent successful SSH logins.

FortiGate CLI – Check for Unauthorized Configuration Changes:

execute log filter category 3
execute log display

Category 3 logs configuration changes.

What Undercode Say:

  • Key Takeaway 1: FortiBleed is not a vulnerability you can patch away—it is the result of years of accumulated failures including exposed management interfaces, legacy SHA-256 hashing, and poor credential hygiene. Organizations that assume patching alone is sufficient remain vulnerable.

  • Key Takeaway 2: The credential database is now a productized asset sold on eCrime marketplaces with metadata including industry, revenue, and employee count. This means multiple ransomware operators—including Qilin, Play, Krybit, and Gunra—may already have purchased access to affected networks. The threat does not end with the initial harvesting group.

Analysis:

The FortiBleed campaign represents a paradigm shift in how perimeter defenses are compromised. Rather than exploiting a single zero-day, attackers systematically dismantled network perimeters through a convergence of architectural oversights—legacy hashing that should have been migrated years ago, default credentials that were never rotated, and management interfaces that remained exposed to the public internet. The 1.16 billion credential attempts against 320,777 targets demonstrate an industrialized, automated operation at a scale previously unseen in firewall-targeting campaigns.

Organizations must recognize that perimeter devices are no longer just network appliances—they are high-value targets containing the keys to internal Active Directory environments. The offline cracking methodology means many organizations have no logs of the initial credential theft, making detection exceptionally difficult. The only reliable defense is to assume compromise, rotate all credentials, enforce MFA, and remove management interfaces from public exposure entirely.

The inclusion of a Turkish NATO defense contractor among confirmed victims, with classified documents allegedly stolen, raises the likelihood of state-sponsored espionage objectives alongside opportunistic access. This campaign demonstrates that credential harvesting has evolved from opportunistic crime to a professionalized access-broker industry that threatens national security interests.

Prediction:

-1: Organizations that delay response face imminent ransomware deployment—attackers are actively selling access, and ransomware operators have already updated their tooling to exploit this exact combination of perimeter credential theft and endpoint privilege escalation.

-1: The number of compromised devices (86,644) will continue to rise as researchers discover additional exposed credentials and victims come forward with evidence of intrusion.

-1: Regulatory fines and class-action lawsuits are inevitable for organizations that fail to implement basic security controls like MFA and trusted host restrictions, given CISA’s explicit guidance and the foreseeable nature of this attack vector.

-1: Legacy SHA-256 password hashing remains a systemic vulnerability across the industry—expect similar campaigns targeting other firewall vendors that have not migrated to modern, slow hashing algorithms.

+1: This incident will accelerate the adoption of phishing-resistant MFA and zero-trust architectures across government and enterprise sectors, finally moving beyond checkbox compliance to genuine security hardening.

-1: Smaller organizations without dedicated security teams are disproportionately at risk—they lack the resources to identify exposure, rotate credentials, and implement the hardening measures required to survive this campaign.

▶️ Related Video (72% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Mohit Hackernews – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky