Someone is sitting on working admin passwords for roughly 75,000 Fortinet firewalls, about half of every FortiGate facing the internet, spread across 194 countries. The dataset, now going by FortiBleed, was found by researcher Bob Diachenko, who shared it with Ransomnews, and independently confirmed by Kevin Beaumont. Here is the part nobody patching tonight wants to hear: there is no shiny new zero-day behind it. FortiBleed was built out of exported device configs, weak password hashing, and credentials that were already loose. The bug, if you want to call it that, is years of accumulated bad hygiene.
That makes it more dangerous than a single CVE, not less. You cannot patch your way out of a password that is already cracked and sitting in someone’s sales catalog.
What is FortiBleed?
FortiBleed is not a vulnerability with a CVE number. It is a dataset and the campaign behind it. Bob Diachenko found a server sitting open on the internet stuffed with what looked like valid Fortinet VPN credentials, usernames, email addresses and plaintext passwords for tens of thousands of organisations, and posted about it. Kevin Beaumont, one of the steadier independent voices in network security, pulled the data and confirmed the bad news: it is legit, it covers around 75,000 devices, almost all of them still online, and the data is recent.
Our own parse of the dataset counts 73,932 exposed FortiGate devices across 194 countries and 21,613 domains. The names in it are not small: Foxconn, Samsung, Comcast, Siemens, Lenovo, PwC, Accenture, Oracle, Chevron, government agencies, critical-infrastructure operators, and Fortinet itself. By Shodan’s count, this is roughly half of every Fortinet firewall currently exposed to the internet. This is not the old 2025 Belsen Group dump of 15,000 devices, which was stale 2022 zero-day data. The IPs are largely different and the data is fresh.
The detail that matters most: the credentials came from exported device configurations, not from sniffing login traffic. As Beaumont put it, the data includes things only visible from the device itself. That points to actual access to these firewalls at some point, which is a very different problem from a list of guessed passwords.
How Bob Diachenko found it
This whole thing started with one researcher noticing an open door. Diachenko did not just find the credential dump, he found the crew’s own workspace. Here is how he described the find publicly:
Massive Fortinet/FortiGate bruteforce/active exploitation campaign uncovered in action. Thousands of top vendor instances are listed in the files. This one alone has 21,634 domain names, from Chevron to Fortinet itself, all with potentially working passwords to the FortiGate appliances. Crooks use a sophisticated hash-cracking approach to get plaintext passwords from the FortiGate configs and use them for internal network movement and takeover.
Bob Diachenko
Diachenko has worked with Ransomnews and alerts.bar to turn the raw dataset into something defenders can actually use, which is what powers the FortiBleed exposure checker further down this page.
Is FortiBleed a new vulnerability?
No, and that is the point most coverage misses. FortiBleed is a convergence of failures, not a single exploit. Three things stacked up. First, the credentials came out of config exports, which means the attackers had hands-on access to these devices at some stage, most plausibly through one of the many documented Fortinet CVEs that went unpatched. The standout is CVE-2026-24858, a FortiCloud SSO SAML authentication bypass rated up to 9.8, disclosed in January 2026 and already on CISA’s Known Exploited Vulnerabilities list.
Second, the hashing. Fortinet moved to PBKDF2 credential storage in early-2025 firmware, but only for devices where an admin actually logged in after applying the update. Plenty of firewalls were still storing admin passwords as salted SHA-256, which is brute-forceable straight out of a stolen config file. Third, recycled credentials. A meaningful share of what the scanner tried was not guessed from scratch, it was pulled from infostealer logs and prior breaches, the same credential supply chain that feeds most intrusions in 2026. Stack those three and you do not need a zero-day. You need patience and GPUs.
How the crew actually worked
Because Diachenko found their open directory, we have an unusually clear picture of the operation, complete with its own logs. This is a Russian-speaking, multi-operator group, and they were not subtle about volume. Their records show roughly 1.16 billion credential attempts against 320,777 FortiGate targets, plus another 2.1 billion against 163,650 Microsoft SQL Server systems. They intercepted SSL VPN authentication hashes and cracked them on a 45-GPU cluster managed through Hashtopolis.
Once a firewall fell, it became a listening post. The operators watched the traffic passing through it, scraped any fresh credentials that flowed by, and fed those back into the scanner to break into the next batch of devices. That self-feeding loop is why a campaign like this snowballs instead of plateauing. Organisations in Japan, Taiwan, Vietnam, Iraq and Turkey were described as fully compromised, including a Turkish NATO defence contractor that allegedly had classified documents stolen.
It is not a leak, it is a sales catalog
The most telling thing in the dataset is the marketing. Every entry is tagged with the victim’s industry, revenue, employee count and country. That is not how an admin keeps notes. That is how an initial-access broker prices inventory. Beaumont flagged it directly, saying the format is very common in eCrime circles when selling initial access. FortiBleed was not assembled for one crew’s private use. It was built to be sold, or deployed across a team, with the comments on each target reading like a product listing. A working admin password on a firewall is access to the whole network behind it, the ability to change security settings and the ability to plant backdoor admin accounts. Sorted by revenue, that is a catalogue of ransomware on-ramps.
The credential thread we keep pulling
FortiBleed is the same story we document every week from a different angle. The fuel underneath it, recycled logins harvested by infostealers and recycled from old breaches, is the exact supply chain our Stealercheck tool surfaces. The reason a campaign can throw three billion credential attempts at the internet and still win is that an enormous fraction of those credentials are already known. If your firewall admin reused a password that turned up in a stealer log two years ago, FortiBleed did not have to crack anything. It just had to try.
Our FortiBleed checker lets you look up any domain against the dataset, and you can go a layer deeper on alerts.bar, so you can see whether your domain or firewall appears in the leak. You can also check your wider credential exposure with Stealercheck or our guide to dark-web and infostealer monitoring.
What to do if you run a FortiGate
Assume exposure and work from there. The remediation is not exotic, it is just urgent:
- Rotate every admin and local credential on the device now, and treat the old ones as burned.
- Check the logs for unexpected successful admin logins, new admin accounts, and config changes you did not make.
- Upgrade to the latest FortiOS, then have every admin log back in, which is what actually triggers the PBKDF2 credential-storage upgrade.
- Get the management interface off the public internet. In most compromised devices it was exposed, and there is rarely a good reason for it to be.
- Enforce phishing-resistant multi-factor authentication on every admin account, so a cracked password alone is not enough.
- Check whether your domain appears in the FortiBleed dataset, and monitor for your credentials surfacing in stealer logs going forward.
Frequently asked questions
What is FortiBleed?
FortiBleed is the name given to a dataset of cracked administrator credentials for around 75,000 internet-facing Fortinet FortiGate firewalls, roughly half the global exposed fleet, across 194 countries. It was discovered by researcher Bob Diachenko, who shared it with Ransomnews, and independently confirmed by Kevin Beaumont in June 2026.
Is FortiBleed a new zero-day vulnerability?
No. There is no confirmed new vulnerability. The credentials came from exported device configs, weak SHA-256 password hashing on un-upgraded devices, recycled credentials from infostealer logs and old breaches, and unpatched known CVEs such as CVE-2026-24858.
How many firewalls are affected?
Our parse of the dataset counts 73,932 exposed FortiGate devices across 194 countries and 21,613 domains. Kevin Beaumont put the figure at around 75,000 devices, almost all still online, which is roughly half of all Fortinet firewalls currently exposed to the internet.
Which CVE is linked to FortiBleed?
The primary one is CVE-2026-24858, a FortiCloud SSO SAML authentication bypass rated up to 9.8, disclosed in January 2026 and listed on CISA’s Known Exploited Vulnerabilities catalog. How initial access was first obtained on every device is still not fully confirmed.
How do I check if my organisation is affected?
Use the Ransomnews FortiBleed checker to look up your domain, and check your wider exposure through alerts.bar. Treat any FortiGate with an internet-exposed management interface as potentially exposed regardless.
What should I do if my FortiGate is in the data?
Rotate all admin credentials immediately, audit logs for unauthorised admin logins and new accounts, upgrade FortiOS and have admins log back in to trigger the PBKDF2 upgrade, take the management interface off the internet, and enforce multi-factor authentication on all admin users.
Sources and further reading
- Bob Diachenko, original FortiBleed disclosure (LinkedIn)
- Kevin Beaumont, FortiBleed: 75k Fortinet firewalls have admin passwords cracked (DoublePulsar)
- Security Affairs, FortiBleed exposes admin passwords for 75,000 Fortinet firewalls
- Arctic Wolf, Active FortiBleed campaign across 194 countries
Reporting by the Ransomnews Research Team. We do not link to leak sites or reproduce stolen credentials.