FortiBleed: How a Credential-Stuffing IAB Probed 430,000 FortiGate Firewalls
A financially motivated initial access broker has been running brute-force and credential-stuffing attacks against internet-exposed FortiGate appliances since February 2026 — and the TTPs are textbook, repeatable, and preventable.

A credential-harvesting operation researchers call FortiBleed has actively targeted more than 430,000 FortiGate firewalls since February 2026, with analysts attributing the campaign with medium confidence to a Russian-speaking initial access broker (IAB) driven by profit rather than state objectives.
What FortiBleed Is — and What It Isn't
The actor profile matters here. Initial access brokers don't operate like espionage crews. They don't linger quietly in network shadows hunting classified data. They find a working foothold, document it, and sell it — typically to ransomware affiliates who then do the destructive work. That commercial model puts FortiBleed closer in character to financially motivated access-broker clusters documented throughout 2024 and 2025 than to nation-state actors like Sandworm or APT28, even if the victim lists eventually overlap.
The campaign is unglamorous and effective. Researchers describe a three-stage chain: aggregating credential data from prior breach dumps and infostealer logs, fingerprinting internet-exposed FortiGate management interfaces and SSL-VPN portals, then running automated brute-force and credential-stuffing attempts against anything that responds. When a login succeeds, the operator drops a bespoke post-exploitation toolkit to maintain persistence and begin lateral movement into the broader network.
This TTP pattern is not new. Nearly identical credential-stuffing pipelines have been documented against Cisco ASA, SonicWall, and Ivanti Connect Secure devices throughout the past two years. The technique is well-tuned rather than inventive — and it works precisely because perimeter devices frequently sit exposed to the internet, lack MFA on local admin accounts, and run outdated firmware.
Reading the Numbers Carefully
The 430,000 figure describes the population of appliances the actor probed or interacted with, not the count of confirmed compromises. That distinction is critical for defenders doing risk assessments. A successful credential validation against an exposed SSL-VPN portal is a meaningfully smaller subset of that number.
Similarly, the 110 million credentials cited in connection with this campaign appear to represent input wordlists — the raw fuel for stuffing attacks — rather than a confirmed count of valid credential pairs extracted from FortiGate devices. The Verizon 2024 Data Breach Investigations Report found that stolen credentials remain the single most common attack vector in breaches, involved in 31% of all incidents analyzed. FortiBleed is a textbook illustration of exactly that pattern at industrial scale.
As of publication, Fortinet has not released an advisory linking specific CVEs to FortiBleed activity. Current evidence points to credential abuse rather than zero-day exploitation. This is an authentication problem before it is a vulnerability problem.
Which Controls Failed
The root cause here is not a software flaw. It is the persistent gap between authentication policy and authentication reality on edge devices.
FortiGate appliances sitting with internet-reachable management consoles or SSL-VPN portals and no MFA enforced are, operationally, open doors. IABs know this. They have industrialized the process of finding those doors. The actor behind FortiBleed didn't need a zero-day because a large fraction of the target population authenticated with username-and-password combinations that appeared in prior stealer logs — combinations that administrators had never rotated.
This points to a second failure: credential hygiene at the organizational level. Many enterprise teams rotate domain user passwords but neglect network appliance local admin accounts. Those accounts live outside Active Directory, outside identity governance tooling, and outside most organizations' breach-monitoring programs. A credential that leaked in a 2023 infostealer campaign may still be valid on a FortiGate in 2026 if nobody checked.
Organizations that train employees to recognize phishing and report suspicious emails — a critical layer — still need parallel programs covering infrastructure administrators, whose credentials represent equally high-value targets for IABs. Embedding that awareness into periodic training cycles is one of the few controls that scales across device classes without requiring a firmware update. If your team hasn't reviewed security awareness training options recently, FortiBleed is a reasonable prompt to do so.
What Defenders Should Do Now
Fortinet administrators should treat this as an active authentication incident until proven otherwise. Pull authentication logs back to February 2026. Look for high-volume failed login attempts from a single autonomous system number followed by a single successful login — that pattern is a credential-stuffing signature. Check for unexpected admin accounts, configuration changes made outside change-control windows, and any outbound connections from the firewall to unfamiliar external hosts.
Four priority actions stand out:
- Enable MFA on every admin account and VPN user — local accounts included, not just accounts federated to your identity provider.
- Rotate any credential that has ever appeared in a known breach or stealer-log dump. Tools like CISA's Known Exploited Vulnerabilities catalog and Have I Been Pwned's domain search can help scope exposure.
- Restrict management interface access to dedicated out-of-band management networks. If the management plane is reachable from the public internet, the attack surface is enormous.
- Audit firmware versions and apply available Fortinet security patches. Even if FortiBleed itself is credential-based, unpatched devices in the same inventory are targets for follow-on exploitation once an IAB sells access.
- Geo-fence SSL-VPN access where operational requirements allow. Blocking authentication attempts originating from regions with no legitimate user base eliminates a significant portion of IAB infrastructure.
Attribution Caveats
Assigning this campaign to a Russian-speaking IAB rests on language artifacts found in toolkit components and infrastructure overlap with previously documented clusters. That is thin evidentiary ground on its own. Until a vendor publishes a formal named-cluster analysis with reproducible infrastructure indicators, treat the actor profile as provisional. The TTPs — stealer-log aggregation, edge-device password spraying, post-exploitation persistence — are the actionable intelligence. Focus there.
Organizations that want to assess their own exposure should benchmark current controls against NIST and industry frameworks and consider whether authentication policy on network infrastructure has kept pace with the rest of the security program. It frequently hasn't.
How credential stuffing against FortiGate could have been stopped
- Enforce MFA on all FortiGate admin and SSL-VPN accounts — including local accounts outside your identity provider.
- Audit credentials against known breach and infostealer databases and rotate any matches immediately.
- Train infrastructure administrators to recognize credential-exposure risks just as end users are trained to spot phishing.
Train2Secure's security awareness programs cover credential hygiene and phishing defense for both end users and the IT staff whose accounts IABs actively hunt.
Start free — no card requiredSources & further reading
Frequently asked questions
How many FortiGate firewalls were affected by FortiBleed?
Researchers tracked the campaign touching more than 430,000 FortiGate appliances since February 2026. That figure represents the population probed or interacted with, not a confirmed count of fully compromised devices.
Is FortiBleed exploiting a known CVE or zero-day vulnerability?
Current evidence points to credential abuse — brute-force and credential-stuffing attacks — rather than exploitation of a software vulnerability. Fortinet had not published an advisory linking specific CVEs to this activity at the time of writing.
What is an initial access broker and why does it matter for this incident?
An initial access broker is a threat actor who gains a foothold in target networks and sells that access, typically to ransomware affiliates. The FortiBleed operator appears to follow this model, meaning compromised FortiGate access could be auctioned and used for follow-on ransomware or espionage attacks by separate groups.
What is the single most important control to stop credential-stuffing attacks on FortiGate devices?
Enforcing multi-factor authentication on all administrative accounts and VPN user accounts eliminates the core attack vector. Even a valid credential pair from a stealer log cannot complete authentication if a second factor is required.



