FortiBleed Campaign Compromises
Thousands of Fortinet Firewalls Worldwide
News Desk
22 June 2026, 14:26
A large-scale cyberattack dubbed FortiBleed has compromised tens of thousands of Fortinet firewalls and VPN devices used by organizations worldwide, according to cybersecurity firms Hudson Rock and SOCRadar.
Unlike many recent attacks targeting network infrastructure, the campaign does not appear to rely on a new software vulnerability. Instead, attackers are exploiting weak security practices, including reused passwords and credentials that were previously exposed in data breaches.
According to the researchers, attackers first scan the internet for publicly accessible Fortinet devices. They then use databases of leaked credentials to gain unauthorized access to firewalls and VPN gateways.
Once inside a system, attackers monitor network traffic and collect additional usernames and passwords. Those newly obtained credentials are then used to compromise more devices, creating a self-sustaining attack cycle.
SOCRadar described the operation as a continuously expanding campaign where stolen credentials are repeatedly reused to breach new targets.
Fortinet acknowledged the reports and said it is aware of a credential-harvesting campaign targeting its products. The company stated that its analysis indicates the activity is linked to previously exposed credentials and password brute-force attempts rather than any newly discovered vulnerability.
The scale of the campaign remains significant. Hudson Rock reported evidence suggesting more than 73,000 unique Fortinet-related URLs may have been compromised. SOCRadar estimated that more than 30,000 devices have been affected.
Researchers said organizations allegedly impacted include major global companies such as Accenture, Comcast, Foxconn, Lenovo, Oracle, Samsung, Siemens, and PwC. However, several of the named organizations have not publicly confirmed any compromise.
The countries with the highest number of affected devices reportedly include India, the United States, Taiwan, and Mexico. Victims span multiple sectors, including IT services, telecommunications, construction materials, and government agencies.
The campaign was first highlighted by security researcher Bob Diachenko. Independent researcher Kevin Beaumont later analyzed the leaked data and said the information appeared legitimate.
The incident highlights a growing cybersecurity problem. While many organizations focus on software vulnerabilities, attackers are increasingly succeeding through simpler methods such as credential theft, password reuse, and poor account security.
Security experts recommend that organizations using Fortinet devices immediately reset credentials, enable multi-factor authentication, review exposed internet-facing systems, and monitor for signs of unauthorized access.
