HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

FortiBleed Campaign Exposes Administrative & VPN Credentials for Over 73,000 FortiGate Firewalls

A Russian‑speaking threat group published a dataset of 73,932 valid FortiGate admin and SSL‑VPN credentials across 194 countries. Researchers confirmed the authenticity of many credentials and noted that numerous firewalls remain publicly reachable. For SOC 2‑ready organizations this underscores the need for robust access‑control policies, credential rotation, and continuous audit evidence.

LiveThreat™ Intelligence · 📅 June 19, 2026· 📰 recordedfuture.com
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
6 sector(s)
Actions
5 recommended
📰
Source
recordedfuture.com

FortiBleed Campaign Exposes Administrative & VPN Credentials for Over 73,000 FortiGate Firewalls

What Happened — A threat group released a dataset containing ~73,932 valid administrative and SSL‑VPN credentials for Fortinet FortiGate firewalls spanning 194 countries. Researchers verified that many of the credentials are authentic and that a significant number of the firewalls remain reachable on the public Internet.

Why It Matters for Compliance & Audit Readiness

  • The incident is a textbook example of a credential‑compromise scenario that SOC 2 Access Control (CC6.1) and Security Awareness policies are designed to prevent and evidence.
  • Continuous monitoring of privileged‑account usage and proof of credential‑rotation provide defensible audit evidence that the organization is actively managing the risk highlighted by FortiBleed.
  • Leveraging Verisq’s SOC2 Access Controls capability lets you capture real‑time logs of admin‑login activity, demonstrate MFA enforcement, and generate the evidence needed for a SOC 2 audit.

Who Is Affected — Government agencies, critical‑infrastructure operators, financial services firms, healthcare providers, manufacturers, and telecom carriers worldwide.

Recommended Actions

  • Immediately verify whether any of your FortiGate devices appear in the disclosed list and rotate all admin/VPN passwords.
  • Enforce multi‑factor authentication on all privileged accounts and restrict management‑plane access to trusted IP ranges or VPNs.
  • Deploy continuous credential‑use monitoring and integrate logs into your SOC 2 evidence collection pipeline.
  • Conduct a gap analysis against SOC 2 CC6.1 (Logical Access) and remediate any policy or technical deficiencies.

Source: Recorded Future – FortiBleed Campaign

Technical Notes

  • Attackers performed >1 billion credential‑guess attempts against FortiGate interfaces and >2 billion attempts against MSSQL servers, then used a 45‑GPU Hashtopolis cluster to crack SSL‑VPN hashes offline.
  • The leaked data likely originated from exported FortiGate configuration files, enabling offline password recovery without ongoing device access.
  • Affected devices were running recent FortiOS versions but still exposed management interfaces to the Internet.
📰 Original Source
https://www.recordedfuture.com/blog/critical-fortibleed-campaign

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →