Back to Intelligence

FortiBleed Operation: Defending FortiGate Firewalls Against Large-Scale Credential Harvesting

SA
Security Arsenal Team
June 23, 2026
6 min read

Since February 2026, a massive credential-harvesting operation dubbed FortiBleed has been actively targeting over 430,000 FortiGate firewalls globally. Assessments attribute this campaign to a Russian-speaking Initial Access Broker (IAB) driven by financial gain. The scale is staggering: the actors have successfully harvested approximately 110 million credentials.

This is not a passive intelligence-gathering exercise; it is an active, brute-forcing campaign designed to compromise perimeter security. For defenders, this is a critical call to action. If your FortiGate devices are exposed to the internet without stringent hardening, they are currently being probed or potentially already compromised.

Technical Analysis

Threat Profile:

  • Operation Name: FortiBleed
  • Threat Actor: Russian-speaking Initial Access Broker (IAB)
  • Motivation: Financial gain (likely selling access to ransomware affiliates).
  • Target: FortiGate Firewall instances exposed to the public internet.

Attack Vector & TTPs: The campaign does not rely on a specific, singular zero-day vulnerability but rather on exposed services and weak authentication configurations. The attack chain typically involves:

  1. Discovery & Credential Collection: The actors utilize massive lists of credentials (likely from previous breaches) to identify potential targets.
  2. Service Enumeration: Scanning for exposed management interfaces (HTTPS/SSH) and VPN services (SSL-VPN) on FortiGate devices.
  3. Brute-Force Access: Automated brute-forcing of accessible systems using the harvested credential lists. The focus is on gaining administrative access to the device or valid VPN credentials for network ingress.
  4. Deployment: Upon successful access, the actors deploy bespoke malware or tools to maintain persistence and facilitate lateral movement.

Affected Products:

  • FortiGate Firewalls (Global install base, versions not specified in the intel, implying broad risk across the fleet).

Exploitation Status:

  • Confirmed Active Exploitation: Yes. The campaign has been active since February 2026.
  • CVE: No specific CVE is associated with this specific campaign in the provided intelligence; the vulnerability exploited here is primarily weak authentication and exposure of management interfaces.

Detection & Response

Given the reliance on brute-force and unauthorized access, detection efforts must focus on authentication failures, anomalous administrative logins, and the execution of unauthorized processes on the firewall appliance.

Sigma Rules

The following Sigma rules detect brute-force attempts against FortiGate administrative interfaces and suspicious configuration changes indicative of post-exploitation activity.

YAML
---
title: FortiBleed - FortiGate Brute Force Attack Detected
id: 8f4a3b1c-6d9e-4f2a-9b1c-8d4e5f6a7b8c
status: experimental
description: Detects multiple failed login attempts to FortiGate firewall administrative interfaces or VPN services, indicative of the FortiBleed brute-force campaign.
references:
  - https://thehackernews.com/2026/06/fortibleed-targeted-fortigate-firewalls.html
author: Security Arsenal
date: 2026/06/18
tags:
  - attack.initial_access
  - attack.brute_force
  - attack.t1110.003
logsource:
  category: firewall
  product: fortinet
detection:
  selection:
    msg|contains:
      - 'login failed'
      - 'authentication failure'
      - 'invalid credential'
  condition: selection | count(src_ip) > 10
timeframe: 1m
falsepositives:
  - Misconfigured VPN clients
  - Legitimate users forgetting passwords
level: high
---
title: FortiBleed - FortiGate Suspicious Admin Configuration Change
id: 9e5b4c2d-7e0f-5g3b-0c2d-9e5f0a1b2c3d
status: experimental
description: Detects configuration changes on FortiGate devices immediately following a successful login, potentially indicating malicious activity or backdoor creation.
references:
  - https://thehackernews.com/2026/06/fortibleed-targeted-fortigate-firewalls.html
author: Security Arsenal
date: 2026/06/18
tags:
  - attack.persistence
  - attack.t1112
logsource:
  category: firewall
  product: fortinet
detection:
  filter_login:
    msg|contains: 'login successful'
  filter_config:
    msg|contains:
      - 'config system'
      - 'set admin'
      - 'execute vpn'
  timeframe: 5m
  condition: filter_login | by dest_ip | count() > 0 and filter_config | by dest_ip | count() > 0
falsepositives:
  - Scheduled administrative maintenance
  - Legitimate bulk configuration updates
level: medium

KQL (Microsoft Sentinel)

This query hunts for spikes in failed authentication attempts specifically targeting FortiGate devices, which aligns with the credential-harvesting nature of FortiBleed.

KQL — Microsoft Sentinel / Defender
// Hunt for FortiBleed Brute Force Activity
let TimeRange = 1h;
Syslog
| where DeviceVendor == "Fortinet"
| where SyslogMessage has_any ("login failed", "authentication failed", "denied")
| extend SourceIP = extract(@'^[\d.]+', 1, SyslogMessage)
| project TimeGenerated, SourceIP, Computer, SyslogMessage
| summarize count() by SourceIP, bin(TimeGenerated, 5m)
| where count_ > 50 // Threshold for brute force behavior
| order by count_ desc
| extend AlertDetails = strcat("High volume of auth failures from ", SourceIP)

Velociraptor VQL

FortiGate devices run a customized FortiOS. If an attacker gains shell access (via SSH exploit or CLI misuse), they may drop bespoke binaries. This artifact hunts for processes running from non-standard writable directories (e.g., /tmp, /var) or unsigned binaries.

VQL — Velociraptor
-- Hunt for suspicious processes on FortiGate/FortiOS endpoints
SELECT Pid, Name, Exe, CommandLine, Username, Ctime
FROM pslist()
WHERE Exe =~ '/tmp/*'
   OR Exe =~ '/var/*'
   OR Exe NOT IN ('/bin/init', '/bin/sh', '/bin/sshd', '/bin/newfs', '/bin/cli', '/sbin/devd', '/bin/ph_systray', '/bin/fortilogd', '/bin/httpsd', '/bin/fgfwd', '/bin/wad', '/bin/sshmonitor')
   AND Username != 'root'

Remediation Script (Bash)

While FortiOS uses a proprietary CLI, the following Bash script is designed to be run on a logging server or via SSH access to parse local logs for Indicators of Compromise (IoC) related to FortiBleed, checking for excessive failed logins from specific IPs.

Bash / Shell
#!/bin/bash
# FortiBleed Audit Script - Checks for brute force indicators in FortiGate logs
# Usage: ./check_fortibleed.sh /path/to/fortigate.log

LOG_FILE="$1"
THRESHOLD=50

if [[ -z "$LOG_FILE" ]]; then
  echo "Usage: $0 <logfile>"
  exit 1
fi

echo "[+] Checking for FortiBleed Brute Force Indicators in $LOG_FILE..."

grep -i "login failed" "$LOG_FILE" | awk '{print $1}' | sort | uniq -c | sort -nr | awk -v t=$THRESHOLD '$1 > t {print "[ALERT] High failed login count from IP: "$2" (Attempts: "$1")"}'

echo "[+] Audit complete. Review IPs listed above."

Remediation

To mitigate the risk of FortiBleed and protect your FortiGate infrastructure from credential harvesting and brute-force attacks, implement the following defensive measures immediately:

  1. Disable Unused Management Interfaces: If SSH (Port 22) or HTTP (Port 80) access is not strictly required for management, disable them. Restrict management access strictly to HTTPS (Port 443) and ensure it is accessible only from specific internal management IPs via Access Control Lists (ACLs).

  2. Implement Two-Factor Authentication (2FA): Enforce 2FA for all administrator logins and VPN connections (SSL-VPN). This neutralizes the effectiveness of credential stuffing and brute-force attacks, even if valid credentials are obtained.

  3. Configure Local-in Policies: Create "Local-in" firewall policies on the FortiGate to drop administrative traffic (SSH, HTTPS, Telnet) from the internet. This is the single most effective control against internet-facing brute-force attacks.

  4. Enable Admin Lockout: Configure the device to lock out administrator accounts after a defined number of failed authentication attempts (e.g., 3-5 attempts).

  5. Audit Admin Accounts: Review the list of local administrator accounts. Remove any unused or default accounts (e.g., 'admin' if not in use) and ensure all remaining admins have strong, complex passwords.

  6. Update Firmware: While no specific CVE is cited for this campaign, ensure your FortiOS is running the latest supported version to protect against potential unpatched vulnerabilities used for persistence or lateral movement.

Official Advisory: Monitor the official Fortinet Security Advisories page for updates regarding this specific campaign and any associated patches.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionfortinetfortigatefortibleed

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action