
In June 2026, the FortiBleed campaign came to light after a dataset containing a large volume of login information associated with Fortinet FortiGate and SSL VPN devices was exposed publicly. The leaked data reportedly included credentials that could be used to access actual devices, including usernames, email addresses, and plaintext passwords.
FortiGate is a security appliance designed to protect the perimeter of enterprise networks through capabilities such as firewalls, SSL VPN, network access control, and intrusion prevention. Because it functions as a gateway connecting external users to internal networks, the compromise of an administrator account or VPN account can expand beyond a single device and lead to internal system access and additional credential collection.
Rather than relying on the exploitation of a single newly disclosed vulnerability, the campaign appears to have focused primarily on reusing previously leaked credentials and validating login access at scale. Some of the data may have originated from FortiGate configuration files, although the initial method used to obtain those configuration files has not been clearly confirmed.
According to BleepingComputer, the FortiBleed dataset contained 73,932 unique firewall URLs and 21,632 unique domains across 194 countries. Verified login information was reportedly confirmed for more than 30,791 devices.
This article examines the characteristics of the FortiBleed leak and its credential collection methods and analyzes how internet-exposed FortiGate interfaces form an external attack surface through Criminal IP Asset Search.
FortiBleed Campaign Overview
| Item | Details |
|---|---|
| Campaign Name | FortiBleed |
| Primary Targets | Internet-exposed Fortinet FortiGate and SSL VPN devices |
| Attack Types | Credential collection, configuration file theft, password hash cracking, and credential reuse |
| Countries Identified | 194 countries |
| Verified Login Information | More than 30,791 devices |
| Scope of Leaked Data | 73,932 unique firewall URLs and 21,632 unique domains |
| Primary Risks | Administrator account compromise, SSL VPN compromise, internal network access, and additional credential collection |
| Primary Mitigations | Restrict external access to management interfaces, reset administrator and VPN accounts, enable MFA, and migrate to PBKDF2 |
FortiBleed differs from a typical vulnerability exploitation campaign centered on a single CVE. According to publicly available analyses, attackers targeted internet-exposed FortiGate and SSL VPN interfaces, tested previously leaked accounts and passwords at scale, and used automated tools to verify whether the credentials could still be used to log in.
The attacker database reportedly contained not only usernames and suspected passwords, but also verified credentials and information such as an organization’s country, industry, and size, which could be used to select targets for follow-up attacks.
Some credentials may also have originated from FortiGate configuration data. Configuration files may contain administrator account settings, password hashes, VPN configurations, and internal network information. Attackers are believed to have used GPU-based cracking infrastructure to recover plaintext passwords from legacy password hashes.
Subsequent analyses also suggested that compromised devices were used as collection points for additional authentication information and that recovered accounts were reused to access other FortiGate devices or internal systems. This demonstrates how one valid credential can create a recurring cycle in which a newly compromised device leads to further credential collection and additional compromise.
Attack Flow: From Internet Scanning to Internal Network Access

The core of the FortiBleed campaign was not the exploitation of a single newly disclosed vulnerability. Instead, attackers identified internet-exposed FortiGate and SSL VPN interfaces, tested previously leaked credentials, selected accounts that were confirmed to work, and used them for follow-up compromise.
In other words, attackers first located login pages that were accessible from the internet and then repeatedly validated credentials through automated login attempts to identify devices that could be accessed.
For example, when a FortiGate login page is directly identifiable from the internet, attackers may be able to validate previously leaked usernames and passwords without exploiting a new vulnerability. These login interfaces become direct attack points for credential stuffing, password reuse testing, and administrator account discovery.
However, the exposure of a login page alone does not prove that the device was included in the FortiBleed dataset or that it was actually compromised. Determining whether a device was affected requires further investigation of administrator login records, configuration file download history, and other signs of abnormal access.
The FortiBleed campaign may follow the attack flow below:
- Identify externally exposed FortiGate devices through internet scanning.
- Automatically test previously leaked usernames and passwords.
- Download system configuration files from devices that can be accessed successfully.
- Extract administrator account hashes and network information from the configuration files.
- Crack legacy password hashes using GPU-based infrastructure.
- Verify whether the recovered accounts can be used to log in.
- Collect additional authentication information and internal network data from compromised devices.
- Use the obtained accounts to access other FortiGate devices or internal systems.
Internet-Exposed FortiGate Assets Identified Through Criminal IP Asset Search
Because the campaign involved testing credentials against internet-accessible FortiGate and SSL VPN interfaces and verifying whether the credentials could be used to log in, it is directly related to external exposure management.
Criminal IP search results should therefore be interpreted not as the number of affected devices, but as the scale of the external attack surface where attackers could attempt similar credential-based attacks.
Search Results for title: FortiGate

title: FortiGate condition in Criminal IP Asset SearchCriminal IP Search Query: title: FortiGate
As of June 18, 2026, Criminal IP Asset Search identified a total of 173,367 externally exposed results related to FortiGate using this query.
The title: FortiGate query searches for services whose HTML page titles contain the string “FortiGate.” It can therefore identify a broad range of FortiGate-related pages, including login pages, SSL VPN portals, web management interfaces, and other related web pages.
These results do not represent the number of unique physical devices. Multiple ports or interfaces from the same device may be collected separately, and it may be difficult to distinguish completely between administrator interfaces and SSL VPN user portals based only on the page title.
Nevertheless, the fact that a FortiGate-related interface can be identified through the page title indicates that an externally accessible attack point exists where login requests can be sent directly and credential validity can be tested.
Search Results for product:”FortiGate”

Criminal IP Search Query: product:”FortiGate”
As of June 18, 2026, this query identified a total of 959 externally exposed results related to FortiGate.
The product: “FortiGate” query searches for services classified as FortiGate based on Criminal IP’s analysis of service banners, HTTP responses, certificates, and product-specific response characteristics.
Compared with title: FortiGate, which searches for a specific string in a page title, this query returns a narrower result set. However, it allows users to focus on services that Criminal IP has identified as FortiGate through its product identification logic.
Search Results for title: FortiGate country: IN

Criminal IP Search Query: title: FortiGate country: IN
As of June 18, 2026, this query identified 16,628 externally exposed FortiGate-related results located in India.
According to The Hacker News, India was identified as one of the countries significantly represented in FortiBleed-related data, particularly among internet-exposed Fortinet deployments in the government sector.
Organizations operating global branches or overseas subsidiaries should review not only the devices managed by headquarters, but also externally exposed assets in local branches, data centers, cloud environments, and legacy VPN gateways.
Even branch devices or legacy VPN gateways deployed many years ago can become targets of the same credential-based attacks when exposed to the internet.
Mitigation
The FortiBleed campaign cannot be addressed by applying a single patch. Organizations must review external exposure, account security, the possibility of configuration file leakage, and FortiOS password storage methods together.
The following items should be prioritized:
- Identify Externally Exposed Management Interfaces: Check whether any FortiGate management interfaces are accessible from the internet. If external management access is not required, disable it immediately.
- Restrict Access to Management Interfaces: Limit access to management interfaces to internal networks, dedicated management networks, VPN connections, or specific trusted IP addresses.
- Reset Administrator and SSL VPN Account Passwords: Reset the passwords of all FortiGate administrator and SSL VPN accounts. Replace them with unique passwords that are not used on any other system.
- Enable Multi-Factor Authentication: Apply MFA to all remote access accounts, including administrator accounts and SSL VPN accounts.
- Remove Unnecessary Accounts: Delete or disable unused administrator accounts, test accounts, accounts belonging to former employees, and accounts that have not been used for an extended period.
- Upgrade FortiOS and Migrate Password Hashes: Upgrade FortiOS to a supported version and change administrator account passwords or require administrators to log in after the upgrade so that passwords are stored using a PBKDF2-based method.
- Review Legacy Password Hashes: In FortiOS 7.2.x and 7.4.x environments, verify that legacy SHA-256 password hashes do not remain. Review password policies and settings that block weakly encrypted logins.
- Review Configuration File Downloads and Login Records: Review system configuration file download history and administrator login records. Focus on access from unusual countries or IP addresses, logins at abnormal times, and activity associated with unknown administrator accounts.
- Check for Unauthorized Configuration Changes: Review firewall policies, VPN settings, administrator accounts, local users, authentication servers, and routing configurations for unauthorized changes.
- Replace Sensitive Information Contained in Configuration Files: If there are signs that a configuration file may have been exposed, replace not only administrator passwords but also all sensitive information that may be contained in the file, including VPN pre-shared keys, API keys, and authentication server credentials.
- Conduct an Incident Investigation: When compromise is suspected, changing passwords alone is not sufficient. Conduct an incident investigation covering the full device configuration, administrator activity logs, VPN access records, and policy change history.
FAQ
Q1. If a FortiGate device appears in Criminal IP, does that mean it is affected by FortiBleed?
Not necessarily. Criminal IP search results represent assets whose products or login interfaces can be identified externally.
Determining whether a device was actually affected by FortiBleed requires additional verification of credential exposure, configuration file download records, administrator login history, FortiOS versions, and password hash storage methods.
However, the fact that a FortiGate device can be identified from the internet means that an attack point exists where attackers may attempt credential stuffing or login attempts.
Q2. Is upgrading to the latest FortiOS version sufficient?
A version upgrade alone may not be sufficient.
If existing administrator account password hashes remain in the legacy SHA-256 format, they may still remain in the configuration file after the upgrade. After upgrading, administrators should change their passwords or log in to ensure that the hashes have been migrated to the PBKDF2-based format.
If configuration files may have been exposed in the past, all related passwords and keys should also be replaced.
Q3. Is the environment safe if only SSL VPN is externally exposed and the administrator page is blocked?
Blocking external access to the administrator interface is an important measure, but SSL VPN accounts can also be targeted by the FortiBleed campaign.
If VPN accounts use leaked or reused passwords, attackers may be able to log in as legitimate users. MFA should therefore be enabled for SSL VPN accounts, unused accounts should be removed, and abnormal login activity should be reviewed.
Conclusion
The FortiBleed campaign shows that internet exposure and weak credential management can lead to large-scale compromise even without a newly disclosed vulnerability. Attackers identified exposed FortiGate devices and used previously leaked passwords and administrator account hashes extracted from configuration files to obtain valid login credentials. Verified credentials have been identified for more than 30,000 devices across 194 countries, with the total potential impact estimated at approximately 75,000 devices.
Organizations should review their entire external asset inventory, including overseas branches, cloud environments, development and test systems, legacy devices, and former VPN gateways. Key measures include restricting management access, resetting accounts, enabling MFA, migrating password hashes to PBKDF2, and investigating possible configuration file exposure.
In relation to this, you can refer to CVE-2026-35616: Exploitation Trends and Exposure Analysis of Fortinet FortiClient EMS
You can subscribe to Criminal IP (criminalip.io/register) and start detecting vulnerable assets right away. You can also request a demo using the button below and explore Criminal IP’s threat intelligence (TI) analysis of externally exposed assets at the enterprise level.

This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Sign up for a free Criminal IP account today to explore the search results mentioned in the report and delve into comprehensive threat intelligence.
Source: Criminal IP(https://www.criminalip.io/), The Hacker News(https://thehackernews.com/2026/06/attackers-exploit-three-fortinet.html), Bleeping Computer(https://www.bleepingcomputer.com/news/security/fortibleed-leak-exposes-fortinet-vpn-credentials-for-73-000-devices/)
Related Article: https://www.criminalip.io/knowledge-hub/blog/34240
