Listen to this Post
Introduction
In mid-June 2026, the cybersecurity world was rocked by the disclosure of “FortiBleed”—a massive credential-harvesting campaign that exposed administrator and SSL VPN credentials for approximately 86,644 unique Fortinet devices across 194 countries, representing roughly half of all internet-facing Fortinet firewalls globally. Unlike traditional vulnerability-driven attacks, this campaign does not exploit a software flaw—there is no patch that closes this exposure. Instead, attackers systematically brute-forced SSH access using weak credentials, then deployed a passive sniffer tool that turned compromised firewalls into credential-harvesting engines, capturing RADIUS, NTLM, Kerberos, and other authentication materials traversing victim networks.
Learning Objectives
- Understand the complete five-stage attack chain of the FortiBleed campaign, from reconnaissance to credential exfiltration
- Learn how to identify Indicators of Compromise (IoCs), including the suspicious `adminim : ITAdmin@888` credential pair
- Master practical remediation steps—including credential rotation, MFA enforcement, and management interface hardening—to secure Fortinet devices
You Should Know
- The Five-Stage Attack Chain: From Shodan to Exfiltration
SOCRadar’s Threat Research Unit (STRU) fully reconstructed the FortiBleed operation, revealing a sophisticated five-stage attack chain:
Stage 1 — Reconnaissance: Attackers used Masscan and Shodan to scan the internet for FortiGate remote-login endpoints, identifying over 430,000 targets.
Stage 2 — SSH Brute-Force: With a curated list of known username-password combinations, attackers systematically tested SSH access. One of the most common credentials observed was adminim : ITAdmin@888—a credential that SOCRadar explicitly flags as a potential Indicator of Compromise.
Stage 3 — Sniffer Deployment: Upon gaining valid SSH credentials, attackers deployed FortigateSniffer—a Golang-based tool that abuses FortiOS’s own built-in diagnostic command `diagnose sniffer packet` across 24 authentication protocols, turning the device into a passive credential collector.
Stage 4 — Offline Cracking: Harvested password hashes were cracked using distributed GPU clusters running Hashtopolis and Hashcat, rented via vast.ai infrastructure.
Stage 5 — Persistent Access & Exfiltration: Attackers maintained access through session-cookie replay and exfiltrated credentials to a growing database. The operation has been active since at least February 2026, completing over 659 harvest cycles that exposed more than 110 million credentials, including RADIUS, NTLM, and Kerberos authentication material.
Critical Takeaway: The campaign operator is assessed to be an Initial Access Broker (IAB) motivated by financial gain, with tooling comments in the Cyrillic alphabet pointing to a likely Russian origin.
2. Indicators of Compromise: What to Look For
If you find any of the following on your Fortinet device, treat it as a potential indicator of compromise and investigate immediately:
Suspicious Accounts to Audit:
– `adminim` with password `ITAdmin@888` — the most commonly observed credential
– `forticloud-sync` and `forticloud-tech` — built-in system accounts that may be abused
Behavioral IoCs:
- Administrator account creation from an unusual source IP address not previously associated with the device
- Configuration file downloads by unauthorized accounts
- Administrator logins from multiple geographic locations in a short time window
- Anomalous authentication events and configuration export activities
Technical IoCs (from SOCRadar’s full report):
- FortigateSniffer binary deployment (Golang-based tool abusing
diagnose sniffer packet) - Unusual SSH sessions originating from IP ranges associated with Russian and Ukrainian networks
- Session-cookie replay patterns indicating persistent access
3. Emergency Response: Step-by-Step Remediation Guide
The Canadian Centre for Cyber Security and CISA have issued urgent hardening alerts. Follow these steps immediately:
Step 1: Inventory All Accounts
On FortiGate CLI - List all administrator accounts config system admin show full-configuration
Audit every account. Identify unauthorized or suspicious accounts (e.g., adminim, forticloud-sync, forticloud-tech) and disable or remove them.
Step 2: Rotate All Administrative Credentials
- Change passwords for all FortiGate admin accounts—including the default `admin` account and any custom accounts
- Change passwords for all SSL VPN user accounts
- Do not reuse any previously used passwords
Step 3: Terminate All Active Sessions
On FortiGate CLI - Terminate all active administrative sessions execute admin session kill all Terminate all SSL VPN sessions execute vpn sslvpn kill all-sessions
Terminate all active SSL VPN and administrative sessions immediately.
Step 4: Enforce Multi-Factor Authentication (MFA)
Enable MFA across all external gateways and admin interfaces. Fortinet supports:
– FortiToken (hardware or software)
– Third-party TOTP solutions (Google Authenticator, Microsoft Authenticator)
– RADIUS/LDAP with MFA integration
Step 5: Restrict Management Interface Access
On FortiGate CLI - Restrict admin access to trusted hosts config system admin edit <admin_name> set trusthost1 <trusted_IP/mask> set trusthost2 <trusted_IP/mask> end
Restrict access to management interfaces to trusted networks and hosts only. Do not expose the management interface (HTTPS/SSH) to the public internet.
Step 6: Check for Patches
While FortiBleed itself is not patchable, ensure your devices are running the latest firmware and specifically check for patches related to:
– CVE-2024-55591 (privilege escalation)
– CVE-2025-59718 and CVE-2025-59719 (authentication bypass)
– CVE-2026-24858 (9.8 CVSS – full administrative access)
Step 7: Scan for FortigateSniffer Activity
On FortiGate CLI - Check for unusual diagnostic sniffer processes diagnose sys process list | grep sniffer Check for unauthorized configuration exports get system config-status
If you detect FortigateSniffer or unauthorized configuration exports, assume the device is compromised and consider factory reset followed by firmware reinstallation from a trusted source.
4. The Credential Hygiene Problem: Why This Happened
Fortinet’s formal response to FortiBleed characterizes the activity as “credential reuse from prior incidents combined with brute force against devices with weak password hygiene and no MFA”. This is not a zero-day—it is a failure of fundamental security practices.
Default Credentials Are Still a Problem:
- All FortiGate firewalls ship with a default administrator account called `admin` with no password
- The `maintainer` account has a default password of `bcpb` followed by the FortiGate serial number
- Historically, undocumented accounts like `Fortimanager_Access` had hardcoded passwords (e.g.,
FGTAbc11xy+Qqz27)
What You Should Do:
- Never leave the default `admin` account without a strong password
- Rename the default `admin` account to something non-obvious
- Disable the `maintainer` account if not required
- Implement a password policy requiring minimum 12 characters with complexity
- Enforce regular password rotation (every 90 days)
5. Linux/Windows Commands for IOC Hunting
Linux – Check for Suspicious SSH Connections to Fortinet Devices:
Check SSH logs for brute-force patterns sudo grep "Failed password" /var/log/auth.log | grep -i "fortinet|fortigate" Check for successful SSH logins from unusual IPs sudo grep "Accepted password" /var/log/auth.log | grep -i "fortinet|fortigate" Check current SSH connections to Fortinet devices ss -tnp | grep :22 | grep -i "fortinet"
Windows – PowerShell IOC Hunting:
Check for suspicious admin account creation in FortiGate logs (if syslog forwarded)
Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4720 } | Select-Object TimeCreated, Message
Check for unusual outbound SSH connections
Get-1etTCPConnection -State Established | Where-Object { $<em>.LocalPort -eq 22 -or $</em>.RemotePort -eq 22 }
Check for running processes matching FortigateSniffer patterns
Get-Process | Where-Object { $_.ProcessName -match "sniffer|forti" }
Network Traffic Analysis:
Capture SSH traffic to/from Fortinet devices for analysis sudo tcpdump -i any port 22 -1n -vvv -A | grep -i "fortinet|fortigate|admin"
6. Long-Term Hardening: Beyond the Emergency Response
Implement Zero Trust for Network Devices:
- Treat every network appliance as potentially compromised
- Segment management networks from production traffic
- Use jump hosts with MFA for all administrative access
Deploy Continuous Monitoring:
- Enable syslog forwarding to a SIEM for all FortiGate events
- Monitor for configuration changes and admin account creations
- Set up alerts for configuration file downloads
- Consider using Bitdefender GravityZone EASM to identify internet-exposed management surfaces
Review and Implement CISA’s Top 10 IT Security Actions:
– Consolidate, monitor, and defend internet gateways
– Patch operating systems and applications
– Enforce the management of administrative privileges
– Harden operating systems and applications
What Undercode Say:
- Key Takeaway 1: FortiBleed is not a vulnerability—it’s a credential crisis. No patch will fix this; only disciplined credential hygiene, MFA enforcement, and management interface restriction can prevent compromise. The fact that 86,000 devices were compromised using brute-force and credential reuse is a damning indictment of the industry’s failure to implement basic security controls.
-
Key Takeaway 2: The `adminim : ITAdmin@888` credential pair is a smoking gun. If you find it on your device, your network has likely been breached. But more importantly, this credential didn’t appear out of thin air—it was either a default credential that was never changed or a backdoor account added by attackers after initial compromise. Either way, it signals a complete failure of administrative oversight.
-
Key Takeaway 3: The sophistication of this campaign is alarming. Attackers didn’t just steal credentials—they turned compromised firewalls into passive sniffers, harvesting RADIUS, NTLM, and Kerberos credentials traversing the network. This means a single compromised FortiGate can expose the entire Active Directory environment. Organizations must assume that any device with this credential has been used as a pivot point for lateral movement.
-
Key Takeaway 4: The campaign has been active since February 2026 and has completed over 659 harvest cycles, exposing more than 110 million credentials. This is not a one-off attack—it’s a persistent, well-resourced operation run by an Initial Access Broker with significant infrastructure, including rented GPU clusters for hash cracking and isolated Kali VM labs.
-
Key Takeaway 5: The most vulnerable organizations are IT services and SMBs with under 200 employees. These organizations often lack dedicated security teams and rely on default configurations. If this describes your organization, treat this as an existential threat and prioritize remediation immediately.
-
Key Takeaway 6: Fortinet’s response—characterizing this as “credential reuse” rather than a product vulnerability—is technically accurate but strategically inadequate. The company bears some responsibility for shipping devices with default admin accounts that have no password and for historically including undocumented accounts with hardcoded credentials. Organizations should demand better security-by-design from all network equipment vendors.
Prediction:
-1 The FortiBleed campaign will continue to grow as attackers automate credential validation and expand their harvesting infrastructure. With over 430,000 FortiGate devices targeted and 86,000 already compromised, the remaining vulnerable devices will be swept up in subsequent waves. Organizations that fail to rotate credentials and enforce MFA within the next 30 days will almost certainly be breached.
-1 The exposed credential database—now searchable via Hudson Rock’s portal—will be weaponized by ransomware groups and other cybercriminal actors. The 110 million+ harvested credentials, including RADIUS, NTLM, and Kerberos material, will enable widespread network compromise across industries. Expect a surge in ransomware attacks targeting SMBs and IT service providers in Q3 2026.
+1 This incident will serve as a watershed moment for the network security industry, finally forcing organizations to take credential hygiene and MFA seriously. The CISA and Cyber Centre alerts will drive regulatory changes, and we may see mandatory MFA requirements for all administrative access to network appliances within the next 12-18 months.
-1 The FortiBleed campaign demonstrates that network appliances are the new endpoint—and they are being weaponized at scale. Until vendors adopt secure-by-default configurations (e.g., randomized admin passwords, mandatory MFA on first login), we will continue to see similar campaigns against other firewall vendors. SonicWall, Palo Alto, and Cisco are likely next in the crosshairs.
-1 The use of legitimate diagnostic tools (diagnose sniffer packet) for malicious purposes highlights a fundamental problem: native administrative features are being abused because they are trusted and unmonitored. Expect attackers to pivot to abusing other native diagnostic commands across all major firewall platforms. Defenders must implement behavioral monitoring that detects abuse of legitimate administrative functions, not just signature-based alerts.
-1 The Russian IAB behind this operation has demonstrated exceptional operational security—using isolated Kali VMs, rented GPU capacity, and infrastructure spanning Russian and Ukrainian networks. Attribution will be difficult, and law enforcement action is unlikely. This operator will continue to sell access to compromised networks on dark web forums, fueling a secondary market for Fortinet-compromised environments.
+1 On a positive note, the security research community’s rapid response—from Bob Diachenko’s initial disclosure to SOCRadar’s comprehensive report—demonstrates the power of collaborative threat intelligence. The availability of IoCs, detection rules, and remediation guidance will help competent security teams detect and respond to compromises quickly. Organizations that invest in threat intelligence and incident response capabilities will weather this storm.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Huzeyfe Why – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
