FortiBleed You Can't Patch Your Way Out of This
FortiBleed: You Can’t Patch Your Way Out of This
A multi-phase campaign, dubbed FortiBleed, has cracked administrative credentials on roughly half of the world’s internet-facing FortiGate firewalls. Because the persistence lies below the operating system, patching will not mitigate all the threats. The campaign, disclosed on June 17, 2026, by researcher Bob Diachenko and corroborated by Kevin Beaumont and Hudson Rock, covers 73,932 FortiGate firewall URLs across 194 countries and 21,632 domains, a number that lines up with about 50 percent of every internet-facing Fortinet firewall visible in Shodan. This is not a single CVE, but an industrialized, self-feeding credential operation. Hudson Rock confirmed that the downstream impact already includes lateral movement into Active Directory across multiple countries and the exfiltration of classified documents from a NATO defense contractor in Turkey.
The campaign runs in phases. The credential-sourcing phase drew from two separate pools: historical Fortinet-specific leaks tied to CVE-2018-13379 and the 2022 Belsen Group drop, as well as infostealer logs. Hudson Rock confirmed that high-entropy credentials showed up verbatim because they had been keylogged off an infected workstation rather than guessed. The validation phase ran at roughly 1.16 billion authentication attempts against more than 320,000 FortiGate targets. For targets not falling to known credentials, operators intercepted SSL VPN authentication hashes and cracked them offline on a 45-GPU Hashtopolis cluster. Fortinet migrated administrative credential storage from SHA-256 plus salt to PBKDF2 starting in FortiOS 7.2.11, 7.4.8, and 7.6.1 in early 2025. However, this migration only triggers when an admin logs in after the upgrade, meaning a patched device can still store its hash in the older, far more crackable SHA-256 format in a hidden old-password field.
After compromise, a FortiGate is turned into a passive network sniffer, quietly harvesting internal authentication traffic, VPN user credentials, LDAP and RADIUS bind requests, and application logins, feeding it straight back into the credential pool. Operators install implants and use symlinks to hide files that survive both reboots and firmware upgrades. They also create new super-admin accounts, new SSL VPN accounts, and new VPN tunnels. Arctic Wolf confirmed full network compromises with lateral movement into Active Directory. FortiBleed is powered by years of FortiOS and Fortinet platform vulnerabilities used together, not a single bug.
A FortiGate is a closed appliance, meaning your EDR and XDR have no presence. The persistence that defines FortiBleed–the implant, the hidden symlink, the rogue super-admin account, the SHA-256 hash in the old-password field–none of it lives in the version string. A device can report itself as fully patched and still carry every artifact of compromise, as the patch closes the door the attacker walked through without addressing the attacker already inside. A clean rebuild rather than a patch alone is recommended for these symlink-persistence cases. FortiGuard shipped AV and IPS signatures specifically to remove the symlink artifacts left by the SSL-VPN exploitation chain. The affected builds for the symlink persistence vector are FortiOS 6.4.x before 6.4.16, 7.0.x before 7.0.17, 7.2.x before 7.2.11, 7.4.x before 7.4.7, and 7.6.x before 7.6.2. Upgrading to a fixed build removes the vector for new infections without removing persistence already in place.
Organizations must treat any FortiGate that was internet-exposed during this campaign as suspect rather than clean. Key actions include: inventorying by exposure (identifying devices with internet-reachable management interfaces or SSL VPNs), checking your domain against the Hudson Rock lookup, and hunting for persistence below the OS. This involves looking for symlinks in /data/etc/ and /data/lib/ pointing at credential and configuration files, unexpected packet-capture processes, and outbound connections from the management plane. It is also crucial to audit credential storage by exporting the configuration as super_admin.