InfoSecBulletin Cybersecurity for mankind
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) asked Fortinet users with FortiGate devices on Thursday to act to protect against harmful attacks on many internet-connected devices.
The large campaign, thought to be done by Russian-speaking hackers, is called FortiBleed. There are 86,644 targeted devices as of June 19, 2026.
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
Critical Cisco ISE Vulnerability Enables Remote Code Execution
F5 Patches NGINX Flaw for Code Execution and DoS Attacks
FortiBleed: 70,000 Fortinet Firewalls Compromised Globally
New Rokarolla Android malware hits 217 banking and crypto apps
Phishing Campaign Exploits Legitimate Microsoft Login Flow
ALERT
Cisco SD-WAN Zero-Day, FortiSandbox and cPanel flaws exploited in attacks
“Panthalassa” builds floating AI data centers powered by ocean waves
According to SOCRadar’s data, regular admin accounts make up 35% and Fortinet system accounts make up 28.3% of the stolen credentials. Accounts specific to organizations make up 36.7% of the rest of the breached credentials.
“This points directly to a widespread failure to rename default accounts or rotate factory credentials, giving the attacker a highly reliable target list before any brute force was even needed,” SOCRadar said.
“Org-specific accounts topping the list is significant. It means the attacker is not just harvesting default credentials but has also successfully compromised accounts created by the organizations themselves, possibly sourced from prior breaches where passwords were never changed.”
The attacker scanned the internet for Fortinet remote login points. Then, they used a special tool to try many known username and password combinations on those points to break in.
“The scale of this breach touches nearly every sector of the global economy, sparing no industry,” Hudson Rock said. “The threat actors have built a verified database of working credentials for some of the largest enterprises on the planet.”
“Fortinet introduced PBKDF2-based password hashing for administrator credentials in FortiOS 7.2.11, 7.4.8, and 7.6.1, replacing the legacy SHA-256-based storage mechanism,” Arctic Wolf said. “However, when upgrading from earlier versions, existing administrator passwords remain stored as SHA-256 hashes until the corresponding administrator successfully logs in following the upgrade.”
“As a result, many organizations likely continue to store administrator credentials using older SHA-256 with Salt hashing mechanisms.”
A Fortinet spokesperson said “the data involved is likely a resharing of data from previous incidents, as well as brute-forcing of credentials, and not related to any current incident or advisory,” urging organizations to follow best practices, including regularly rotating security credentials and enabling multi-factor authentication (MFA).
CISA advises Fortinet customers with FortiGate devices and SSL VPN gateways to quickly: Stop sessions and change passwords.
Terminate sessions and reset credentials
Ensure secure credential storage
Review logs
Enable phishing-resistant multifactor authentication (MFA)
Reduce the attack surface and lock down management access
