Ethical Hacking News
CISA Warns of Active Exploitation Following FortiBleed Leak: A Global Credential-Spraying Operation
A global credential-spraying operation using compromised credentials for approximately 74,000 Fortinet firewalls and VPN gateways has been exposed. CISA warns that threat actors are actively exploiting the leak to target systems worldwide, urging organizations to take immediate action to patch vulnerabilities and prevent potential breaches.
CISA has issued a warning about active exploitation following the leak of credentials for approximately 74,000 Fortinet firewalls and VPN gateways. The leaked credentials were made public by security researcher Bob Diachenko, who found an open server containing the stolen data. Almost all affected devices are still online, and the data appears to have come from exported device configurations rather than a simple credential scrape. CISA has issued instructions for organizations running Fortinet equipment, urging them to take immediate action to patch vulnerabilities and prevent potential breaches. The dataset includes business intelligence information on companies affected by the leak, making it easier for attackers to gain remote access.
CISA (Cybersecurity and Infrastructure Security Agency) has issued a warning about active exploitation following the leak of credentials for approximately 74,000 Fortinet firewalls and VPN gateways, known as FortiBleed. The leak was made public by security researcher Bob Diachenko, who found a server sitting open on the internet containing leaked credentials, including usernames, email addresses, and plaintext passwords for tens of thousands of organizations.
According to Kevin Beaumont, one of the most trusted independent voices in network security, the data is legit and related to around 75k devices. Almost all of them are still online, and Fortinet devices. The data appears to have come from exported device configurations rather than a simple credential scrape. This distinction points toward actual device access at some point, which may be one of the many documented Fortinet CVEs or something new.
The popular cybersecurity expert confirmed that the data is formatted in a way that looks like an eCrime gang — it lists the type of company, their revenue and country. This format is common in eCrime circles when selling initial access information. The attackers reportedly intercepted SSL VPN authentication hashes and cracked them using a 45-GPU cluster managed through Hashtopolis.
The dataset includes the business intelligence layer, where each entry includes the company's industry, revenue, employee count, and country, formatted in a way that is very common in criminal markets for selling initial access. This suggests that an attacker with these credentials can log in remotely, gain access to the firewall and therefore the network behind it, change security settings, and create backdoor admin accounts.
CISA has issued instructions for organizations running Fortinet equipment, urging them to terminate all active SSL VPN and administrative sessions immediately, reset every VPN and administrative password, enable phishing-resistant multi-factor authentication on all admin interfaces, and review logs for unauthorized access or lateral movement. They also recommend upgrading to the latest FortiOS release and removing the FortiOS management interface from public internet access unless absolutely necessary.
The warning comes as a result of an emergency alert issued by CISA after reports surfaced that malicious cyber actors had targeted internet-accessible Fortinet devices across government and private-sector organizations worldwide using compromised credentials. The agency confirmed that threat actors were actively using those credentials to target internet-accessible Fortinet devices across government and private sector organizations worldwide.
The FortiBleed leak has been described as a global credential-spraying operation, with attackers conducting approximately 1.16 billion credential attempts against 320,777 FortiGate targets, plus 2.1 billion attempts against 163,650 Microsoft SQL Server systems. The group reportedly intercepted SSL VPN authentication hashes and cracked them using a 45-GPU cluster managed through Hashtopolis.
The dataset covers roughly 50% of all Fortinet firewall devices currently facing the internet. In a majority of cases, the Fortigate Management Interface is exposed to the internet on impacted devices. The data includes 73,932 unique firewall URLs that span 194 countries and 21,632 unique domains. Names appearing in the dataset include Foxconn, Samsung, Comcast, Siemens, Lenovo, PwC, Accenture, Oracle, and numerous government agencies and critical infrastructure operators.
The attackers may have left behind an open directory containing their own tooling, scripts, connection strings, logs, and analytics, which suggests a Russian-speaking multi-operator threat group conducted the attacks. The group reportedly intercepted SSL VPN authentication hashes and cracked them using a 45-GPU cluster managed through Hashtopolis.
In conclusion, CISA's warning highlights the importance of keeping software up-to-date and securing devices against exploitation. Organizations running Fortinet equipment must take immediate action to patch vulnerabilities and prevent potential breaches.
Related Information:
https://www.ethicalhackingnews.com/articles/CISA-Warns-of-Active-Exploitation-Following-FortiBleed-Leak-A-Global-Credential-Spraying-Operation-ehn.shtml
https://securityaffairs.com/193902/hacking/cisa-warns-of-active-exploitation-following-fortibleed-leak.html
Published: Sat Jun 20 05:11:47 2026 by llama3.2 3B Q4_K_M
