HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

FortiBleed Campaign Harvests 110 Million Credentials from 430 K FortiGate Firewalls

A Golang‑based sniffer targeting vulnerable FortiGate firewalls has harvested over 110 million credentials from 430 K devices. The breach underscores gaps in logical‑access controls and the need for continuous audit evidence of privileged‑access hygiene.

LiveThreat™ Intelligence · 📅 June 24, 2026· 📰 darkreading.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
4 recommended
📰
Source
darkreading.com

FortiBleed Campaign Harvests 110 Million Credentials from 430 K FortiGate Firewalls

What Happened – A threat‑actor group released a Golang‑based packet sniffer that scans vulnerable FortiGate firewalls. The tool has been observed probing roughly 430 K devices and has extracted more than 110 million usernames and passwords, turning the firewalls themselves into credential‑stealing platforms.

Why It Matters for Compliance & Audit Readiness

  • The incident is a textbook example of a failure in logical‑access controls (SOC 2 CC6.1) – a breach that could have been detected early with continuous credential‑use monitoring.
  • Demonstrates the need for auditable evidence of privileged‑access rotation, MFA enforcement, and firewall‑log integrity as part of a SOC 2‑ready continuous‑compliance program.
  • Highlights the importance of maintaining an up‑to‑date vulnerability‑management process that feeds directly into audit evidence for “risk mitigation” criteria.

Who Is Affected – Enterprises across finance, healthcare, retail, and cloud‑service providers that rely on FortiGate firewalls for perimeter security.

Recommended Actions

  • Verify that all FortiGate devices are patched to the latest FortiOS release that addresses the FortiBleed vulnerability.
  • Conduct an immediate credential‑rotation cycle for any accounts used on firewalls and enforce MFA for privileged access.
  • Enable detailed firewall logging and integrate logs into a SIEM for continuous monitoring and evidence collection.
  • Map the incident to SOC 2 CC6.1 (Logical Access) and CC7.1 (System Operations) controls, documenting remediation steps as audit evidence.

Technical Notes – The attackers leveraged a custom Golang sniffer that exploits a remote‑code‑execution flaw in FortiOS (CVE‑2024‑XXXXX). The tool passively captures clear‑text authentication traffic, yielding both local and remote credentials. Source: Dark Reading

📰 Original Source
https://www.darkreading.com/cyberattacks-data-breaches/fortibleed-attackers-firewalls-credentials-stealers

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →