Back to Intelligence

FortiBleed Campaign: Defending Against Credential Harvesting on Fortinet Devices

SA
Security Arsenal Team
June 22, 2026
5 min read

A critical mass of valid credentials is the golden ticket for attackers. In the latest "FortiBleed" campaign, threat actors have successfully aggregated a database of over 86,000 confirmed working credentials. This is not a theoretical risk; it is an active, large-scale credential harvesting operation targeting Fortinet infrastructure.

For defenders, this means the assumption of compromise must be applied to any unpatched or internet-facing Fortinet device. The urgency cannot be overstated: if your FortiGate or FortiProxy appliances are vulnerable, your credentials are likely already in this database and are being sold or used for initial access right now.

Technical Analysis

Affected Products:

  • FortiGate Firewalls
  • FortiProxy Secure Web Gateways
  • FortiSwitch Manager (historical context, focus on current active targets)

Vulnerability Mechanics: The campaign capitalizes on the "FortiBleed" vulnerability, an authentication bypass flaw. The core issue lies in how the management interface handles specific HTTP requests, allowing attackers to bypass authentication checks entirely.

Unlike brute-force attacks, this vulnerability grants the attacker immediate administrative access without needing valid credentials initially. Once authenticated, the attackers leverage this access to dump the device's configuration, which contains hashed credentials, local user accounts, and potentially VPN credentials. The "harvesting" aspect of this campaign refers specifically to the systematic exfiltration of these secrets to build the 86,000-record database.

Exploitation Status:

  • Confirmed Active Exploitation: Yes. The existence of an 86,000-credential database confirms widespread, successful scanning and exploitation.
  • Attack Vector: Internet-facing management interfaces (HTTPS/Port 443). The campaign scans for vulnerable endpoints and triggers the exploit to retrieve configuration files.

Detection & Response

Given that the authentication bypass effectively grants administrator rights, traditional logs may show "legitimate" admin actions. However, the exploit chain leaves distinct artifacts in web logs and process execution chains.

SIGMA Rules

YAML
---
title: FortiBleed Exploit - Management Interface Access
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects potential exploitation of the FortiBleed authentication bypass via specific API endpoint access patterns.
references:
  - https://www.securityweek.com/fortinet-responds-to-fortibleed-campaign/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: webserver
  product: fortinet
detection:
  selection:
    c-uri|contains: '/api/v2/cmdb/system/admin/user'
    c-uri|contains: '/api/v2/cmdb/system/vpn'
  filter:
    cs-user-agent|contains: 'FortiManager'
  condition: selection and not filter
falsepositives:
  - Legitimate API calls by known management tools
level: high
---
title: FortiBleed - Suspicious Process Spawn from Web Server
id: b2c3d4e5-6789-01ab-cdef-234567890bcd
status: experimental
description: Detects the web server process spawning a shell, a common post-exploitation behavior during configuration dumping.
references:
  - https://www.securityweek.com/fortinet-responds-to-fortibleed-campaign/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|endswith: '/nginx'
    Image|endswith:
      - '/bin/sh'
      - '/bin/bash'
      - '/bin/cat'
  condition: selection
falsepositives:
  - Authorized administrative debugging
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for FortiBleed exploitation indicators in Syslog or CommonSecurityLog
// Look for access to sensitive system management API endpoints without preceding auth
let FortinetLogs = Syslog 
| where ProcessName contains "fortinet" or Facility contains "fortinet";
FortinetLogs
| where SyslogMessage has "/api/v2/cmdb/system"
| extend Endpoint = extract(@'c-uri:([^\s]+)', 1, SyslogMessage)
| where Endpoint has_any ("admin/user", "vpn", "ssh")
| project TimeGenerated, HostName, SyslogMessage, Endpoint
| where not(SyslogMessage has "FortiManager") // Filter known legitimate manager
| order by TimeGenerated desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for Fortinet configuration dumps or recent access to sensitive files
SELECT FullPath, Mtime, Size, Mode
FROM glob(globs='/*/*config*')
WHERE Mtime > now() - 24h  // Config files modified in last 24 hours
   OR Size > 10000000      // Unusually large config exports

Remediation Script (Bash)

Bash / Shell
#!/bin/bash
# FortiBleed Response Script - Check for Exploitation Indicators
# This script checks for signs of configuration access or modification.

LOG_FILE="/var/log/messages" # Adjust based on FortiOS log forwarding location
SEARCH_TERM="api/v2/cmdb/system"
DATE_RANGE="$(date -d '1 hour ago' '+%b %d %H')"

echo "Checking for unauthorized API access in the last hour..."
if grep "$DATE_RANGE" "$LOG_FILE" | grep -q "$SEARCH_TERM"; then
    echo "[ALERT] Potential FortiBleed exploitation detected in logs."
    echo "Immediate action required: Patch firmware and rotate credentials."
    # Trigger an alert or send to SIEM
else
    echo "[INFO] No immediate indicators found in recent logs."
fi

echo "Ensure management interface is not exposed to the internet."
echo "Verify latest patches are applied per Fortinet advisory."

Remediation

The defensive posture against FortiBleed must be aggressive due to the confirmed harvesting of credentials.

  1. Immediate Patching: Upgrade FortiOS and FortiProxy to the latest firmware releases. Check the Fortinet PSIRT advisory for the specific patch versions that address this flaw. Do not delay.

  2. Credential Reset: Treat all local admin credentials and VPN credentials on affected appliances as compromised. Force a reset for all users immediately. The 86,000-credential database means your specific passwords may already be known to the attacker.

  3. Network Segmentation: Ensure the management interface (HTTPS port 443) is not accessible from the internet. Restrict management access to specific internal IP subnets or a dedicated OOB management network.

  4. Audit Logs: Review logs for evidence of configuration export or modification during the campaign's active window. Look for large GET requests or access to /api/v2/cmdb endpoints.

  5. MFA Enforcement: Where applicable, enforce Multi-Factor Authentication (MFA) for VPN and administrative access to mitigate the risk of credential reuse.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosurefortinetfortibleedcredential-harvesting

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action