FortiBleed Grows: 86,644 Fortinet Firewalls with Valid Credentials in 194 Countries, CISA Issues Alert

In one week, the official count rose from 73,932 to 86,644 compromised Fortinet devices. What researcher Volodymyr "Bob" Diachenko discovered as an exposed server on June 13 has become, according to the latest update from SOCRadar published on Friday, the largest collection of administrative credentials for perimeter equipment ever documented. The campaign, dubbed FortiBleed, was already the subject of a CISA alert on June 18 and public guidance from the British NCSC on the same day.

The database contains credentials for SSL VPN and FortiGate management across 194 countries and 21,632 unique domains, which corresponds, according to Arctic Wolf's estimates, to approximately half of all Fortinet firewalls accessible via the internet. The operation behind it is attributed to a Russian-speaking actor who used infrastructure with 45 GPUs to crack hashes offline at an industrial scale, turning exposed configuration data into valid credentials testable through credential stuffing.

Who Appears in the Data

Among the identified domains are Samsung, Mercedes-Benz, Foxconn, Chevron, Comcast, AT&T, Toyota, Oracle, Siemens, Lenovo, and DHL. The list also includes global service firms such as Accenture, PwC, and Infosys, as well as government agencies and critical infrastructure operators in at least seven countries. None of these companies had publicly confirmed a breach by the time this article was published, and the methodology of the exposure involves valid credentials at the time of collection, not necessarily access post-rotation.

The message from CISA in the technical sheet is clear: terminate active sessions, reset all administrative credentials, ensure the use of PBKDF2 for password storage, enable phishing-resistant MFA, and remove the administration interface from the internet whenever possible. "This cannot be treated as a point IOC. Every Fortinet customer needs to assume they are on the list until proven otherwise," stated Brian Bates, Vice President of Product at Bitsight, in a comment reproduced by Computing.

The Geography of the Problem, Beyond the U.S.

The United Kingdom issued a parallel alert via the NCSC due to the concentration of FortiGate devices within the British public sector networks, especially in local councils and NHS providers, who use the equipment as a VPN gateway for hybrid work arrangements. Germany falls under NIS2 from October 2025, and critical infrastructure operators that discover a breach now must notify the BSI within 24 hours, under risk of fines that can reach 2% of global turnover.

In Japan, where MUFG and Mizuho outsource part of the edge operation to integrators who standardized on FortiGate, the exposure translates into a risk of lateral movement within the banking network just as the three megabanks finalize generative AI projects with Anthropic. In Brazil, where Itaú, Bradesco, and Nubank operate mixed stacks of Fortinet and Palo Alto, the takeaway for the CISO is that the most dangerous risk asset is not the firewall itself, but what it protects: the implicit trust inferred from corporate integrations that consider the VPN tunnel a trusted zone.

Why This Is Different From Previous Waves

Fortinet has already faced significant disclosures in 2022 (CVE-2022-40684, 87,000 leaked credentials) and 2024 (CVE-2024-21762). The difference with FortiBleed lies in three key points. First, it is not a new vulnerability, but the mass exploitation of existing configurations through industrial offline cracking, a model that differs from the classic N-day exploit. Second, the actor maintained the infrastructure active for months before discovery, expanding the universe of valid credentials. Third, the disclosure exposes a structural vulnerability in the market: companies with mature SOC and timely patching have been compromised due to the combination of PBKDF2 with low iteration and exposure of the management plane.

The question posed by Mariano Nunez, CEO of Onapp, during the Infosecurity Magazine panel on June 19, encapsulates what is at stake: how does a security company expose the administrative secret of 86,000 devices without leaving an operational window open? The cost of the answer will be measured in months, not days. And it has yet to be priced by boards.