On 17 June 2026, security researchers published a dataset that should stop any business running a Fortinet firewall in its tracks. It is called FortiBleed, and it holds verified, working credentials for roughly 74,000 FortiGate devices across 194 countries. Not password guesses. Not encrypted hashes. Logins that the attackers had already tested and confirmed.
Here is the uncomfortable part. FortiBleed is not a bug you can patch your way out of. It is a credential problem, and the organisations that got caught nearly all made the same small set of avoidable mistakes. This is what actually happened, how to check your own exposure, and what to do about it this week.
Despite the name, FortiBleed is not a Heartbleed-style memory bug. It is a large-scale credential harvesting campaign. It was first discovered by security researcher Volodymyr “Bob” Diachenko, analysed by threat intelligence firm Hudson Rock, and independently verified by respected researcher Kevin Beaumont, who confirmed the credentials were real and active.
The attackers pulled configuration files from internet-facing FortiGate devices, cracked the stored password hashes (older firmware used weaker password hashing, which Fortinet has since strengthened), and combined the results with credentials already circulating from infostealer malware and reused passwords from earlier incidents. The output is a tidy, searchable database of working administrator and VPN logins covering 73,932 firewall URLs and 21,632 unique company domains.
Where software flaws played a part, they were ones Fortinet had already disclosed and patched, such as CVE-2026-24858, a FortiCloud authentication bypass fixed earlier this year. The devices that stayed exposed were the ones that never applied those updates or left their management interface open to the internet. The affected names are not small either: reporting lists global enterprises, government agencies, and at least one NATO-aligned defence contractor that had classified documents stolen.
Most security stories have a clean fix. Patch the software, update the browser, block the sender. FortiBleed breaks that pattern, and that is exactly why it matters.
The weakness is the credentials, not the code. You cannot patch a password that has already leaked, and a 25-character password offers no protection once it is sitting in a criminal database. The fix is operational: rotate credentials, enforce multi-factor authentication, restrict access, and monitor. A single firmware update does not close it.
There is also a quieter risk for businesses that outsource their IT. Many providers roll out near-identical FortiGate configurations across dozens of clients, so one harvested credential pattern can cascade across every network built the same way. The convenience that makes managed firewalls cheap to deploy is the same thing that turns one mistake into many.
Hudson Rock has published a free lookup tool where you can enter your domain and see whether it appears in the dataset. If you run any Fortinet equipment, do this first: check your exposure on the Hudson Rock FortiBleed portal.
One caution. The dataset covers only about half of all internet-facing Fortinet firewalls, and the researchers say to treat it as incomplete. A clean result is reassuring, but it is not proof you are safe. If you operate FortiGate firewalls or SSL VPN, assume the credentials could be exposed and act regardless. The same advice comes from the US cyber agency CISA, which has urged Fortinet customers to reset credentials and lock down management access immediately.
This is the part worth sitting with, because the dividing line was hygiene, not luck. Almost every compromised device shared the same weaknesses, and each one was a choice that could have gone the other way.
The single biggest factor was exposing the firewall’s management interface to the public internet. That is the prerequisite the whole campaign depends on, and a majority of affected devices had it open. The second was missing multi-factor authentication, which neutralises a stolen password completely. The rest were devices running older firmware that had never been updated, and credentials that were never rotated after an earlier incident.
If that list sounds familiar, it should. Patching, multi-factor authentication, and restricting administrative access are three of the Essential Eight, the Australian Government’s baseline security controls. FortiBleed is a brutal demonstration of what happens when the basics slip. Getting your Essential Eight controls genuinely operating, and keeping access management tight, is what keeps you off lists like this one.
None of this is unique to Fortinet, and it is not a reason to lose faith in the brand. Fortinet kit is widely deployed and capable, and the company had already shipped the relevant fixes and hardening guidance before this dataset surfaced. Expose any vendor’s firewall to the internet without multi-factor authentication and current firmware and you get the same outcome. FortiBleed is a configuration and maintenance story far more than a product story.
You do not need to become a firewall expert. You need to know that someone is accountable for the boring discipline that prevents this. So ask your provider three direct questions: is our firewall management interface reachable from the public internet, is multi-factor authentication enforced on every VPN and admin login, and what FortiOS version are we running.
If they cannot answer quickly and clearly, that is a gap. Holding a fleet of firewalls at a known-good standard, watching them, and rotating credentials when something leaks is core to managed cyber security, and it is the kind of thing that should be happening quietly in the background whether or not there is a headline that week. Pairing that with endpoint detection and response means that if a credential does slip through, someone sees the unusual login before it becomes a breach.
Rotate your FortiGate credentials and turn on MFA. Reset every administrator, local user, and VPN password on your Fortinet devices, and do not filter by age or complexity, because complexity did not save anyone here. Then enforce multi-factor authentication on every VPN and admin login so a stolen password alone is useless.
Take the management interface off the internet and patch. Restrict firewall administration to your internal network or an allowlisted set of addresses, update FortiOS to a current release, and confirm the build number rather than assuming the update applied.
Get an independent check. If you are not certain where you stand, we will look at it for you. Book a free security gap analysis and we will tell you straight whether your perimeter is exposed and what to fix first.
