FortiBleed: 73,932 Fortinet VPN Credentials Exposed

When we cross-referenced the published device count against Shodan's live FortiGate exposure data, the roughly 50% overlap figure held. That confirmation shapes every remediation priority below.

For context on how credential theft drives downstream attacks, see the Verizon 2025 DBIR analysis at SecurityWeek: stolen credentials appear in 22% of all confirmed breaches, and exploitation of edge devices like VPN appliances surged nearly eightfold in a single year.

How did attackers collect credentials at this scale?

The operation was systematic and technically intensive. Attackers ran approximately 1.16 billion credential attempts against 320,777 FortiGate targets, intercepting SSL VPN authentication hashes in the process. Those hashes then moved to offline cracking on a 45-GPU cluster managed through Hashtopolis, an open-source distributed hash-cracking framework.

BleepingComputer reports the entire pipeline - from interception to cracking - ran as an automated operation at a scope most individual organizations cannot monitor.

FortiGuard Labs recorded billions of internet scans each month in 2024, equivalent to 36,000 scans per second, up 16.7% year-over-year. FortiBleed fits that pattern: systematic, infrastructure-backed mapping followed by targeted credential extraction.

This was not random scanning. It was a production-grade credential factory.

Who is affected by FortiBleed?

Roughly half of all internet-accessible Fortinet firewalls appear in the leaked data, based on Shodan network measurements. A majority of those devices expose their FortiGate management interfaces directly to the internet, a configuration that multiplies exposure significantly.

Affected organizations span government, healthcare, financial services, and critical infrastructure across 194 countries. Rapid7 confirmed that attackers exploiting related Fortinet CVEs authenticated as the admin user and immediately downloaded system configuration files containing hashed credentials - the exact output FortiBleed aggregated.

If your organization runs a FortiGate device with a public-facing management interface, treat yourself as in scope until you can prove otherwise.

This pattern is not unique to Fortinet. The Check Point Gaia OS IKEv1 authentication bypass CVE-2026-50751 followed the same template: unauthenticated access to a VPN appliance, harvested credentials, and delayed detection.

Why are older FortiOS versions especially vulnerable?

Fortinet switched to PBKDF2 with randomized salt for administrator password storage in FortiOS 7.2.11, 7.4.8, and 7.6.1. That change makes offline cracking orders of magnitude harder.

However, Arctic Wolf confirmed that existing administrator passwords stay stored as SHA-256 hashes until the administrator actually logs in after the upgrade. A patched device with a dormant admin account is still crackable.

The table below shows the practical difference between the two schemes:

Age of deployment matters here. Patch and rotate - in that order.

What does Fortinet say - and why do researchers push back?

Fortinet's official position, as reported by The Next Web, is that FortiBleed is "a resharing of data from previous incidents, as well as bruteforcing of credentials" and is "not related to any recent incident or advisory." That framing could make remediation feel less pressing.

Researchers counter that the device set in FortiBleed differs meaningfully from the devices exposed in the known 2025 Belsen Group leak, which argues against a pure repackaging story. The dispute matters for triage. Fresh credentials carry higher risk than stale ones, so do not wait for Fortinet to settle the question before acting.

For a parallel case where vendor framing and researcher findings diverged on active exploitation, see Broken Entra Access Controls Exposed FIFA World Cup Streams.

What to do now

The six steps below address FortiBleed exposure in priority order. Complete them in sequence.

1. Restrict management interface access

Remove FortiGate admin interfaces from public internet access immediately. Use set allowaccess policies to limit management to trusted IP ranges only. This single change eliminates the largest attack surface.

2. Check your FortiOS version and hashing scheme

Verify you are running FortiOS 7.2.11, 7.4.8, 7.6.1, or later - the versions that introduced PBKDF2 hashing. If your device predates that update, prioritize patching before credential rotation. Patching first ensures rotated passwords store under the stronger scheme.

3. Rotate all VPN and admin credentials

Treat every password on affected devices as compromised. This includes service accounts and API tokens. After patching to a PBKDF2-capable version, have each administrator log in once to trigger hash migration for their account.

4. Verify CVE-2025-59718 patch status

CVE-2025-59718 is an improper cryptographic signature verification flaw (CVSS 9.1) affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. CISA added it to the Known Exploited Vulnerabilities catalog on December 16, 2025, with a remediation deadline of December 23, 2025.

Confirm your patch status against that advisory now. Rapid7 observed attackers exploiting this CVE to authenticate as admin and pull configuration files containing hashed credentials - the direct source material for FortiBleed.

Also review CISA's January 2026 alert on CVE-2026-24858, a FortiCloud SSO authentication bypass that let attackers make unauthorized VPN configuration changes even on devices already patched against earlier CVEs.

5. Hunt for config-download events in your SIEM

Query authentication logs for admin sessions followed immediately by configuration file exports. Use the string below as a starting search term:

execute backup config

Any match warrants immediate investigation. Attackers in Rapid7's observed cases pulled config files within minutes of first authentication.

6. Enable MFA on every account

FortiGate supports multi-factor authentication for both admin access and SSL VPN. Enable it on every account. No exceptions. Cracked credentials are useless against a properly enforced MFA policy.

For a step-by-step guide on enforcing access controls at the identity layer, the Conditional Access policy walkthrough for Microsoft 365 apps illustrates the same principle applied to cloud workloads.

Why FortiBleed fits a broader credential crisis

FortiBleed is a single data point in a larger pattern. The Verizon 2025 DBIR, as reported by Infosecurity Magazine, found that exploitation of edge devices and VPNs rose from 3% to 22% of all vulnerability exploitation breaches. Only 54% of vulnerable edge devices reached full remediation, with a median patch time of 32 days.

VPN credentials specifically drove 48% of ransomware attacks in Q3 2025, up from 38% in Q2, according to the Beazley Security Quarterly Threat Report via HIPAA Journal. Leaked FortiGate credentials flow directly into that pipeline.

Credential theft from developer tools follows the same pattern at a different entry point. The JetBrains malicious plugins that stole AI API keys from 70,000 installs shows how attackers aggregate credentials from multiple sources before launching access campaigns.

Frequently asked questions

Is my FortiGate definitely in the leaked dataset?

No public tool exists to check individual devices against the FortiBleed list. Assume exposure if your device was internet-accessible during the period the dataset covers. Rotating credentials and restricting management access costs far less than a confirmed breach investigation.

Does FortiBleed mean attackers already have active access to my network?

Not automatically, but the risk is concrete. Cracked credentials enable access only if passwords remain unchanged. Immediate credential rotation closes that window. Run parallel monitoring for unusual VPN authentications and lateral movement indicators while rotation completes.

How is FortiBleed different from the 2025 Belsen Group leak?

Researchers say the affected device sets overlap but differ in composition, which argues against FortiBleed being a pure repackaging of Belsen Group data. Fortinet disputes that framing. Until attribution settles, treating FortiBleed as a distinct incident is the more defensible position for your incident response team.

What FortiOS versions are affected by the weaker SHA-256 hashing?

All FortiOS versions before 7.2.11, 7.4.8, and 7.6.1 store administrator passwords using SHA-256 with salt. Devices upgraded to those versions or later still use SHA-256 for any admin account that has not logged in since the upgrade. Only a post-upgrade login triggers migration to PBKDF2.

What is Hashtopolis and why does it matter here?

Hashtopolis is an open-source tool that distributes password hash-cracking jobs across multiple GPUs. Attackers used a 45-GPU cluster running Hashtopolis to crack intercepted SSL VPN authentication hashes at speed, converting an interception operation into a ready-to-use credential database with minimal manual effort.