Back to Intelligence

Defending Against FortiBleed: Detecting Custom Sniffers on FortiGate Firewalls

SA
Security Arsenal Team
June 23, 2026
5 min read

Security practitioners are facing a sophisticated evolution in perimeter threats. SOCRadar has identified a large-scale campaign, dubbed "FortiBleed," actively targeting Fortinet FortiGate firewalls. Unlike traditional exploitation that seeks merely to breach the network, this campaign demonstrates a high degree of persistence: attackers are deploying custom packet sniffers directly on compromised appliances to harvest authentication secrets.

This is not just a breach; it is an intelligence-gathering operation. By intercepting traffic at the gateway, the attackers capture credentials, session tokens, and sensitive data traversing the firewall—effectively compromising the integrity of the encrypted tunnels these devices are supposed to protect. Defenders must assume that a compromised firewall implies a compromise of all authentication material passing through it. Immediate action is required to identify if your appliances have been weaponized as listening posts.

Technical Analysis

Affected Products:

  • Fortinet FortiGate Secure Firewalls (FortiOS).

The Threat Vector: While the initial access vector leverages an unpatched vulnerability on the target device, the critical concern for Incident Response (IR) teams is the post-exploitation activity. Once access is gained, the threat actor executes a custom sniffer utility tailored for the FortiOS environment.

Mechanism of Credential Theft: The deployed sniffer operates in promiscuous mode, capturing raw network packets from the interfaces. It specifically targets authentication traffic, likely including:

  • HTTPS administrative logins to the firewall itself.
  • SSL-VPN handshake data and session establishment.
  • Pass-through authentication traffic (e.g., LDAP, RADIUS, or HTTP Forms) traversing the gateway.

Exploitation Status: SOCRadar has confirmed active exploitation in the wild. The presence of a custom binary indicates the actor has moved beyond automated scanning to manual, hands-on-keyboard interaction with the appliance. The "FortiBleed" designation comes from the "bleeding" of data via these sniffers.

Detection & Response

Detecting this campaign requires visibility into the operating system-level behavior of your firewalls, which is often lacking in standard web-application firewall logs. We need to hunt for the execution of unauthorized binaries and specific administrative commands.

Sigma Rules

The following Sigma rules target the execution of packet capture utilities and the specific CLI commands used to configure or run sniffers on FortiOS environments. Note that these rules require that your SIEM is ingesting FortiOS system logs or that you have enabled logging for administrative command execution (log syslogd setting cli-audit or similar).

YAML
---
title: FortiBleed - FortiOS Sniffer Execution
id: 8a4b9c12-3d4e-4f8a-9b1c-2d3e4f5a6b7c
status: experimental
description: Detects the execution of packet capture utilities or sniffer commands on FortiGate devices, indicative of the FortiBleed campaign or espionage.
references:
  - https://www.socradar.com/
author: Security Arsenal
date: 2026/05/15
tags:
  - attack.credential_access
  - attack.t1040
logsource:
  category: firewall
  product: fortinet
detection:
  selection:
    action: 'execute'
    msg|contains:
      - 'diag sniffer packet'
      - 'tcpdump'
      - '/tmp/sniffer'
  condition: selection
falsepositives:
  - Authorized network troubleshooting by administrators
level: high
---
title: FortiBleed - Suspicious Binary Execution in /tmp
id: 9b5c0d23-4e5f-5g9b-0c2d-3e4f5a6b7c8d
status: experimental
description: Detects execution of binaries from world-writable directories like /tmp or /var on FortiGate, often used to drop custom malware.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/05/15
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    Image|contains:
      - '/tmp/'
      - '/var/tmp/'
    Image|endswith:
      - '.bin'
      - '.run'
  condition: selection
falsepositives:
  - Legitimate installer scripts (rare on production firewalls)
level: critical

KQL (Microsoft Sentinel / Defender)

This KQL query hunts for syslog events from FortiGate devices indicating the execution of diagnostic sniffer commands or the presence of custom binaries.

KQL — Microsoft Sentinel / Defender
Syslog
| where DeviceVendor == "Fortinet"
| where SyslogMessage has_any ("diag sniffer packet", "tcpdump", "execute /tmp", "execute /var")
| project TimeGenerated, DeviceName, Computer, ProcessName, SyslogMessage
| extend Timestamp = TimeGenerated
| order by Timestamp desc

Velociraptor VQL

While placing an agent on a firewall is difficult, if you are performing forensics on a compromised Linux server or analyzing a mounted FortiOS image, this VQL artifact hunts for the remnants of the custom sniffer binaries typically dropped in temporary directories.

VQL — Velociraptor
-- Hunt for custom sniffer binaries in common temp directories
SELECT FullPath, Size, Mtime, Mode
FROM glob(globs="/tmp/*", "/var/tmp/*")
WHERE Name =~ "sniffer"
   OR Name =~ "capture"
   OR Name =~ ".bin"
   OR Mode =~ "x.*"  -- Executable files

Remediation Script (Bash)

This script is intended for Security Operations teams with SSH access to FortiGate management interfaces. It checks for the presence of the custom sniffer process and lists recent modifications to the /tmp directory.

Bash / Shell
#!/bin/bash
# FortiBleed Remediation Check Script
# Usage: ./check_fortibleed.sh <firewall_ip> <ssh_user>

FW_IP=$1
SSH_USER=$2

if [ -z "$FW_IP" ] || [ -z "$SSH_USER" ]; then
  echo "Usage: $0 <firewall_ip> <ssh_user>"
  exit 1
fi

echo "[*] Connecting to $FW_IP to scan for FortiBleed indicators..."

# Check for suspicious sniffer processes (diag sys process list)
ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 $SSH_USER@$FW_IP "diag sys process list" | grep -E "sniffer|tcpdump|capture"

# Check for recently modified files in /tmp (common drop location for custom binaries)
ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 $SSH_USER@$FW_IP "ls -lart /tmp"

echo "[*] Review the output above for any unrecognized 'sniffer' processes or new binaries in /tmp."
echo "[!] If found, isolate the firewall immediately and initiate credential rotation for all accounts traversing the device."

Remediation

  1. Immediate Isolation: If a sniffer is detected, disconnect the FortiGate from the network (Management Plane isolation) while maintaining uptime if possible, or prepare for an immediate controlled reboot to clear memory-resident malware.
  2. Credential Rotation: Assume all credentials (admin, VPN, internal SSO) that traversed the compromised firewall during the dwell time are compromised. Force a global password reset and MFA re-enrollment.
  3. Patch and Upgrade: Upgrade to the latest FortiOS firmware. The specific vulnerability leveraged for initial access must be patched. Refer to the latest Fortinet PSIC advisories from 2025/2026.
  4. Audit Admin Access: Review diagnose sys admin-user list to ensure no unauthorized admin accounts were created. Restrict GUI and SSH access to specific management subnets only.
  5. Disable Unnecessary Services: Ensure that unused interfaces and services (such as HTTP, Telnet, or TFTP) are disabled.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosurefortinetfortigatefortibleed

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action