Since February 2026, a financially motivated Russian-speaking initial access broker has been running a systematic credential-harvesting operation against FortiGate firewalls at global scale. The campaign, tracked as FortiBleed, has targeted over 430,000 devices and harvested approximately 110 million credentials. For anyone running substantial network infrastructure—whether as a hosting provider, datacenter operator, or enterprise managing edge systems—the tactics and scope of this operation warrant close attention.
The Mechanics of Broad-Scale Access Harvesting
FortiBleed operates through a multi-stage approach: discovery, enumeration, and exploitation. Researchers at The Hacker News documented that the actors first identify exposed FortiGate instances using passive reconnaissance and internet-wide scanning services. Once a candidate list is built, they probe for accessible management interfaces and attempt brute-force attacks against administrative credentials.
The scale here is notable. Harvesting credentials from 430,000 devices is not the work of opportunistic attackers; it reflects infrastructure and patience. The actors appear to have maintained operational consistency over several months, suggesting either dedicated resources or a specialised service offered within criminal ecosystems. Credential lists of this magnitude have clear resale value: they become entry points for ransomware operators, data exfiltration crews, and subsidiary access brokers seeking to monetise initial compromise.
Why Firewalls Are a Preferred Target
FortiGate firewalls occupy a critical position in network topology. They sit at the perimeter, controlling inbound and outbound traffic, and often sit between the internet and internal infrastructure. Compromised credentials grant an attacker several advantages. They can disable logging, create persistent backdoors, route traffic for inspection and manipulation, and move laterally into internal networks with minimal suspicion. Unlike web servers or databases, firewall compromise is often silent and difficult to detect without disciplined monitoring.
The appeal to initial access brokers is straightforward: a compromised firewall is a gateway. It does not require exploitation of zero-day vulnerabilities or complex technical pivoting. A valid set of admin credentials, obtained through brute-force or exposure, can unlock months of undetected access.
Operational Hardening Against Credential-Based Access
The FortiBleed campaign illustrates why basic hygiene remains foundational. Several controls directly mitigate this attack class:
- Non-default credentials and strength. Weak or default passwords remain endemic in infrastructure deployments. Every FortiGate should have a unique, sufficiently complex administrative password. Reuse across multiple devices multiplies risk.
- Rate limiting and account lockout. Brute-force attacks depend on the ability to make many attempts rapidly. Enforcing lockout policies after N failed login attempts raises the cost of credential stuffing significantly.
- Restricting administrative access by source. If possible, limit management interface access to known IP ranges or VPN gateways rather than exposing it to the entire internet.
- Multi-factor authentication. Even with compromised passwords, MFA adds a genuine barrier. Many commodity brute-force operations cannot overcome it efficiently.
- Logging and alerting. Successful and failed login attempts should flow to a centralised logging system with alerting on anomalies—multiple failed attempts from unknown sources, logins from unexpected geographies, or access outside business hours.
Scope and Systemic Implications
430,000 firewalls represents a substantial fraction of deployed FortiGate infrastructure globally. The 110 million credentials harvested suggests the attacker collected not only administrative accounts but also service credentials, user accounts, and residual data left in system memory or logs. This material can be cross-referenced against other breached databases, used for lateral movement in multi-tenant environments, or sold as a bundled service to downstream actors.
From an infrastructure-as-a-service perspective, this underscores the value of architectural separation: managed firewalls, VPNs, and edge security should not share administrative credentials or networks with customer-facing systems. If a hosting provider offers managed firewall services or operates shared edge infrastructure, credential hygiene for those systems warrants investment equivalent to that for core servers.
FortiBleed is not a novel exploit or zero-day. It is industrial-scale opportunism enabled by weak passwords, exposed management interfaces, and inadequate monitoring. For operators managing infrastructure at scale, the countermeasures are well-established. The lesson is implementation: ensuring that security baselines are enforced, monitored, and audited consistently across all edge and core systems.

