Ethical Hacking News
CISA Warns Fortinet Customers of FortiBleed: A Global Campaign of Credential Stuffing and Brute-Force Attacks on Thousands of Vulnerable Devices
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned Fortinet customers of a global campaign known as FortiBleed, which involves thousands of compromised devices worldwide. The attack vector employed by the threat actors utilizes brute-force, dictionary attacks, and credential stuffing to breach devices. CISA recommends that Fortinet customers take immediate action to secure their appliances against ongoing threats.
The FortiBleed campaign targets thousands of internet-accessible devices using Fortinet firewalls and VPN gateways. The attack is believed to be the work of Russian-speaking threat actors who have exploited over 86,644 devices worldwide. The attackers use a mass-scanning approach to identify login endpoints and spray them with known login and password combinations. A verified database of working credentials for large enterprises has been created by the threat actors. CISA recommends terminating active sessions, resetting passwords, enforcing strong password policies, and using PBKDF2 algorithm. The incident highlights broader issues related to password hygiene and security best practices.
The cybersecurity world has been abuzz with the news of FortiBleed, a widespread campaign of malicious activity aimed at thousands of internet-accessible devices utilizing Fortinet firewalls and VPN gateways. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to Fortinet customers, urging them to take immediate action to secure their appliances against ongoing threats.
According to CISA, the FortiBleed campaign is believed to be the work of Russian-speaking threat actors who have successfully exploited thousands of internet-accessible devices worldwide. The number of compromised devices stands at an alarming 86,644 as of June 19, 2026. This staggering figure highlights the severity of the issue and underscores the need for Fortinet customers to take swift action.
The attack vector employed by the threat actors involves mass-scanning the internet for Fortinet remote login endpoints and then employing a bespoke tool to spray those identified endpoints with known login and password combinations in an attempt to break into them. The fully-automated attack is built around a self-sustaining, two-step approach that allows the attackers to passively monitor network traffic going through the devices to collect additional credentials.
The threat actors have reportedly created a verified database of working credentials for some of the largest enterprises on the planet. This highlights the potential for FortiBleed to have significant real-world implications, not only in terms of compromise but also in terms of data breaches and further exploitation.
CISA has outlined several recommendations to defend against the activity, including terminating all active SSL VPN and administrative sessions, resetting all Fortinet VPN and administrative passwords, especially on internet-facing systems, and enforcing strong password policies. The agency has also emphasized the importance of using the Password-Based Key Derivation Function 2 (PBKDF2) algorithm to store administrator credentials and removing weaker legacy hashes.
The impact of FortiBleed extends beyond just technical vulnerabilities, highlighting broader issues related to password hygiene and security best practices. The sweeping campaign underscores the need for organizations to prioritize robust cybersecurity measures, including regularly rotating security credentials, enabling multi-factor authentication (MFA), and implementing robust firewall, VPN, authentication, and domain controller logs.
Fortinet has responded to the incident by stating that the data involved is likely a resharing of data from previous incidents, as well as brute-forcing of credentials, and not related to any current incident or advisory. However, the company has emphasized the importance of following best practices, including regularly rotating security credentials and enabling MFA.
The FortiBleed incident serves as a stark reminder of the ongoing threat landscape in the cybersecurity world. As organizations continue to face the challenges of an increasingly complex and dynamic threat environment, it is essential that they prioritize robust cybersecurity measures and stay vigilant against emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/CISA-Warns-Fortinet-Customers-of-FortiBleed-A-Global-Campaign-of-Credential-Stuffing-and-Brute-Force-Attacks-on-Thousands-of-Vulnerable-Devices-ehn.shtml
https://thehackernews.com/2026/06/cisa-warns-fortinet-customers-as.html
Published: Fri Jun 19 09:57:02 2026 by llama3.2 3B Q4_K_M
