FortiBleed Exposes Global Credential-Spraying Operation

FortiBleed exposed a massive campaign that made billions of login attempts against Fortinet VPNs, compromising organizations worldwide.

FortiBleed wasn’t a targeted hack. It was a factory. A multi-operator crew ran an industrial-scale attack against Fortinet FortiGate SSL VPN devices worldwide, and security researcher Volodymyr “Bob” Diachenko of SecurityDiscovery.com caught them only because they left their own infrastructure exposed on the open internet in June 2026.

“The crew mass-scans 320,777 FortiGate /remote/login endpoints and more than 247,000 Sophos /userportal endpoints. FortiGate logins are then sprayed with 3,639 base credential pairs across every target, 1.16 billion combinations in total, through a custom tool called forticheck running 25,000 threads.” reads the report published by Ransomnews.

A parallel campaign hit 163,650 MSSQL servers with 2.1 billion attempts at 50,000 threads. That’s not espionage; that’s automation.

Once they got in somewhere useful, they dropped network sniffers to pull cleartext credentials from HTTP, FTP, SMTP, LDAP, and other protocols.

“Once inside reachable infrastructure, the operators drop network sniffers that scrape cleartext credentials out of HTTP, FTP, SMTP, POP3, IMAP, LDAP, SNMP, and Telnet traffic.” states the report. “Intercepted Kerberos and NTLM hashes are shipped to a 45-way NVIDIA RTX 4090 cracking cluster orchestrated through Hashtopolis.”

With cracked credentials in hand, they replayed captured session cookies through OpenConnect to hijack live VPN sessions, then walked straight into Active Directory. Standard looting from there: AD dumps, fileshare exfiltration, Kerberos tickets, Group Policy templates.

The operators aren’t random. They work from Kali Linux virtual machines behind NAT so their command server never touches a victim’s Active Directory directly. Targets are ranked by revenue, with a top tier above 113 billion dollars, using open-source intelligence. Multiple operators work the same machines at once, coordinating over shared terminal sessions. The hash-cracking server, tellingly, was left running on default credentials. The same mistake they exploit in victims.

At least four organisations were fully compromised, across Japan, Taiwan, Vietnam, Iraq, and Turkey. The most serious claim involves a Turkish defence contractor with NATO ties whose classified defence documents were exfiltrated. Ransomnews hasn’t independently verified those contents and treats the attribution as the investigator’s assessment, not confirmed fact.

The working dataset covers 73,932 exposed FortiGate devices across 21,613 organisations in 207 countries. India leads on raw volume, and Latin American telecoms carry the densest device fleets. IT services, telecoms, financial services, and government are the most exposed sectors.

“In a random sample of exposed organisations, 88% also appeared in stealer-log or breach data and 38% had staff with active infostealer infections. Around 590 are already named on ransomware leak sites.” concludes the report.”An exposed FortiGate is rarely an isolated problem. It is one visible symptom of an organisation attackers have already found more than once.”

An exposed FortiGate isn’t a standalone problem. It’s a sign that attackers have already found the organisation more than once.

If you run FortiGate, take the management interface and SSL VPN off the public internet wherever possible. Rotate every administrator and local credential, upgrade FortiOS, and invalidate active VPN sessions so replayed cookies stop working. Reset exposed employee credentials too, not just the firewall accounts, because the infostealer overlap is too high to ignore.

The researchers also released a FortiBleed Checker to allow admins to check their domains.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, FortiBleed)