FortiBleed: Hackers Compromise Tens of Thousands of Fortinet Firewalls and VPNs, Reportedly Impacting Comcast, Lenovo, Oracle, More
Published
Key Takeaways
- Campaign Discovered: A widespread hacking campaign dubbed FortiBleed has compromised tens of thousands of Fortinet firewalls and VPNs worldwide.
- Simple Method: Attackers use automated scanning and previously leaked passwords rather than new vulnerabilities.
- Major Victims: Compromised companies allegedly include Accenture, Comcast, Lenovo, Oracle, and more.
An alleged Russian-speaking group of cybercriminals has compromised tens of thousands of Fortinet firewalls and VPNs used by major companies across the world, according to two cybersecurity firms. The ongoing campaign, dubbed FortiBleed, does not abuse any unknown vulnerability but relies on leaked credentials.
How the FortiBleed Campaign Works
Hackers first use automated tools to scan the internet for exposed Fortinet firewalls and VPNs. They then break into devices using lists of previously known or leaked passwords, which generally involve infostealers. SOCRadar described a self-feeding credential loop.
Once a device is compromised, the hackers “use it as a listening post, monitoring traffic passing through and collecting any additional credentials that flow by,” SOCRadar recently wrote. “Those freshly collected passwords are then fed back into the scanner to compromise even more devices. The system feeds itself.”
Hudson Rock found evidence suggesting Threat actors compromised 73,932 unique firewall URLs across 194 countries, resulting in 21,632 unique affected domains, while SOCRadar puts the total at a minimum of 30,791 devices. Compromised companies allegedly include:
- Accenture,
- Comcast,
- Foxconn,
- Lenovo,
- Oracle,
- Samsung,
- Siemens,
- PwC.
The most affected countries are India, the U.S., Taiwan, and Mexico. The victim list is heavily concentrated in NATO member countries, suggesting a geopolitical dimension alongside financial motives, according to SOC Radar. The top affected sectors are IT services, construction materials, and telecommunications, with government agencies also among the victims
Fortinet's Response and Confirmation
Fortinet spokesperson Tiffany Curci said the data is "a resharing of data from previous incidents." The campaign was first reported by security researcher Bob Diachenko, and researcher Kevin Beaumont confirmed the data is "legit."
The problem points to companies failing to change firewall passwords or ensure their credentials are not already known to attackers. To secure your network against this specific vector, Hudson Rock recommends the following immediate actions:
- Remove FortiOS Management Interface internet exposure.
- Upgrade to the latest FortiOS release and have all admins log back in to force the system to re-hash passwords using the more secure PBKDF2 standard.
- Assume compromise and check for backdoors.
- Enforce strict MFA.
- Monitor for stolen credentials.
In late May, FortiClient Endpoint Management Server (EMS) was exploited via CVE-2026-35616 to deploy the EKZ infostealer.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular