Fortinet says the large-scale credential-harvesting campaign currently targeting its customers’ firewalls and VPNs does not exploit new vulnerabilities.
As part of the campaign, tracked as FortiBleed, threat actors have compiled a database of over 86,000 confirmed working credentials for Fortinet devices in 194 countries.
“Based on our initial analysis, we believe the activity involves threat actors reusing credentials from previous incidents and employing brute-force techniques against devices with weak password hygiene and no multi-factor authentication (MFA),” the company says.
The prior incidents Fortinet refers to involved the exploitation of three FortiCloud SSO login authentication bypass security defects: CVE-2026-24858, patched in January, and CVE-2025-59718 and CVE-2025-59719, addressed in December.
“Fortinet provided detailed guidance at the time of these advisories, and we continue to strongly encourage all customers to ensure these remediation steps have been completed,” the company notes.
In March, the vendor warned of threat actors’ use of AI to automate target identification and password spraying in large-scale attacks targeting poorly protected edge devices.
FortiBleed, it notes, leverages the same techniques, not a new Fortinet vulnerability. “This activity is not related to any recent incident or advisory,” Fortinet says.
The company noted that it has identified the potentially compromised systems, started notifying the impacted customers, and has been working with law enforcement to investigate the attacks.
Customers with compromised FortiGate instances are advised to terminate admin and VPN sessions, rotate their credentials, implement MFA on all administrator and VPN user accounts, and upgrade to software releases that support PBKDF2 hashing of administrator credentials.
Additionally, they should review firewall and VPN user accounts and configurations for unauthorized changes, check logs for unexpected admin access, and restrict external management to trusted hosts to reduce attack surface.
Related: CryptoBandits Malware Doubles as a Backdoor, Abuses Tor
Related: Splunk Enterprise Vulnerability Exploited in Attacks Days After Disclosure
Related: Critical Vulnerabilities Patched in Fortinet, Ivanti Products
Related: Majority of Internet-Accessible REDCap Servers Outdated
