FortiBleed leak exposes Fortinet VPN credentials for 73,000 devices.

1. Executive summary

A data leak dubbed "FortiBleed" has exposed what appears to be a collection of Fortinet and FortiGate VPN credentials for 73,932 firewall URLs across 194 countries, covering 21,632 unique organisational domains. The dataset was first identified by researcher Bob Diachenko and independently verified by Hudson Rock and Kevin Beaumont; both confirm the credentials are real and that many affected devices remain online. The exposed material includes usernames, email addresses and plaintext passwords for SSL VPN and administrative interfaces, alongside per-target metadata (industry, revenue, employee count) suggestive of attacker targeting notes. For EMEA financial services firms running Fortinet/FortiGate SSL VPN, the immediate risk is unauthorised remote access to the firewall and, by extension, the corporate network behind it; the bottom line is that any organisation with a Fortinet VPN appliance should treat credentials as compromised until proven otherwise and rotate immediately.

2. Regulatory framing

Article	Trigger	Practical impact
DORA Art. 17: ICT-related incident management process	Confirmed exposure of Fortinet VPN credentials for financial-services entities in the dataset; lateral movement into internal Active Directory reported by the researcher	Activate the ICT-related incident management process; document detection, triage, eradication and recovery steps for any affected Fortinet appliance
DORA Art. 18: classification of ICT-related incidents and cyber threats	Credential exposure affecting SSL VPN and administrative interfaces of perimeter devices used by in-scope entities	Classify the event against the ICT incident taxonomy; ensure classification considers downstream AD compromise, not just the credential leak itself
DORA Art. 19: reporting of major ICT-related incidents to competent authorities	Where a Fortinet appliance used by an in-scope entity is confirmed compromised and AD pivot is observed, the incident meets major-incident thresholds	Prepare initial, intermediate and final notifications to the competent authority within the prescribed windows
DORA Art. 28: ICT third-party risk — general principles	Fortinet is an ICT third-party provider; the leak affects the security of that provider's products	Re-evaluate Fortinet third-party risk; record the incident in the third-party risk register
DORA Art. 29: preliminary assessment of ICT concentration risk	The leak affects roughly half of internet-facing Fortinet firewalls per Shodan, evidencing concentration in this vendor	Reassess concentration risk; document the dependency and any single-point-of-failure exposure
DORA Art. 30: key contractual provisions with ICT third-party providers	Vendor security incident engages notification, audit and cooperation clauses	Engage Fortinet under contractual clauses; request root-cause and remediation data
NIS2 Art. 21(2)(d): supply chain security measures	Fortinet is a supply-chain component for in-scope entities; credential compromise is a supply-chain incident	Apply supply-chain security measures: asset inventory, password rotation, MFA enforcement, monitoring uplift on Fortinet assets
NIS2 Art. 23: incident reporting obligations	Confirmed compromise of an in-scope entity's Fortinet appliance with AD pivot is an incident with significant impact	File early warning within 24 hours, incident notification within 72 hours, and final report as required
UK NIS 2018: UK Network and Information Systems Regulations — OES/RDSP duties	UK OES/RDSP entities operating Fortinet SSL VPN are within scope of the dataset	Apply OES/RDSP duties: incident reporting, record-keeping, and cooperation with the relevant competent authority

3. Technical analysis & attack chain

Reconnaissance and target enumeration. Attackers enumerated Fortinet/FortiGate SSL VPN endpoints at scale. Diachenko reports 1.16 billion credential attempts against 320,777 FortiGate targets, and 2.1 billion attempts against 163,650 Microsoft SQL Server systems, indicating parallel brute-force campaigns against both the VPN surface and adjacent MSSQL infrastructure.
SSL VPN authentication hash interception. Attackers intercepted SSL VPN authentication hashes from FortiGate appliances. The mechanism is not publicly disclosed in the source material; the presence of long, complex passwords in the leaked dataset is consistent with extraction from device configuration or authentication artefacts rather than weak-password guessing.
Offline hash cracking. Cracked hashes were processed on a 45-GPU cluster managed via Hashtopolis, an open-source distributed hash-cracking orchestration platform. This indicates a sustained, well-resourced operation rather than opportunistic attack.
Credential validation and database assembly. Cracked credentials were validated against target appliances and assembled into a verified database of working credentials, annotated with per-target metadata (industry, revenue, employee count) — consistent with attacker targeting notes for follow-on operations.
Lateral movement into Active Directory. Validated credentials were used to pivot into internal Active Directory environments. The source material does not specify the tooling or techniques used for AD pivot; treat this as a confirmed outcome, not a confirmed TTP.
Confirmed full compromise. At least four organisations are reported as fully compromised, including a Turkish NATO defence contractor from which classified documents were allegedly stolen. Other fully compromised entities span Japan, Taiwan, Vietnam, Iraq and Turkey.
Operational artefacts exposed. The attackers inadvertently left an open directory online containing artefacts, connection strings, tooling, scripts, data, cron jobs, bash histories and logs — the source from which Diachenko reconstructed the operation.

Component and version specifics. The source material does not name a specific FortiOS/FortiGate version, firmware branch or CVE. The dataset covers "fairly recent patches" per Beaumont, meaning patched appliances are not immune. No CVE is cited in the source material; therefore no CVSS score is reported in this advisory.

Attribution caveat. Diachenko attributes the operation to a "Russian-speaking multi-operator threat group" based on artefacts and language. No MITRE profile for this actor is available in the verified reference data; treat the attribution as unconfirmed.

Affected organisations (partial list, per Hudson Rock and Diachenko): Foxconn, Samsung, Comcast, Siemens, Lenovo, PwC, Accenture, Oracle, Chevron, AT&T, Mercedes-Benz, Toyota, Sinopec, State Grid, plus government agencies and critical-infrastructure operators.

Geographic distribution (top 10): India, United States, Taiwan, Mexico, Turkey, Thailand, Colombia, Malaysia, Chile, United Arab Emirates.

Affected sectors: telecommunications, IT services, financial services, government, healthcare, education, manufacturing.

4. Mitigation & containment

P1 — within 24 hours

Rotate all Fortinet VPN and administrative credentials on every FortiGate/Fortinet appliance in the estate. Treat local accounts, RADIUS/LDAP bind accounts, admin accounts and any service accounts used by the appliance as compromised.
Enforce MFA on Fortinet SSL VPN and administrative interfaces. Disable any account that does not support MFA until it is migrated.
Isolate management interfaces from the public internet. Move FortiGate admin/SSL VPN endpoints behind a VPN concentrator, jump host or zero-trust broker where feasible.
Block and audit any successful authentication from the leaked credential set against FortiGate syslog, FortiAnalyzer and AD logs. Look for logons from unfamiliar geographies or outside normal change windows.
Force password resets for any AD account observed authenticating from a FortiGate in the last 90 days, and review Group Policy and admin tiering for signs of unauthorised group membership changes.

P2 — within 72 hours

Apply the latest vendor firmware to all FortiGate appliances per Fortinet PSIRT guidance; if no specific fix is named in the source, apply the current vendor-recommended baseline and review release notes for SSL VPN hardening.
Disable unused SSL VPN realms and admin profiles. Restrict SSL VPN to named user groups with explicit policy.
Hunt for Hashtopolis and 45-GPU cluster indicators in EDR telemetry, proxy logs and DNS logs (see Section 5).
Review MSSQL exposure. Audit any MSSQL instances reachable from FortiGate management subnets; rotate MSSQL service and SA-equivalent credentials; restrict to management VLAN.
Engage Fortinet under contractual clauses (DORA Art. 30) for root-cause data, IOC sharing and confirmation of affected firmware versions.

P3 — within 7 days

Reassess concentration risk (DORA Art. 29) and document Fortinet dependency in the third-party risk register.
Tabletop the incident under the ICT-related incident management process (DORA Art. 17) and validate reporting readiness (DORA Art. 19; NIS2 Art. 23).
Tighten monitoring: forward FortiGate auth, admin and VPN event logs to SIEM with retention aligned to DORA Art. 17 record-keeping expectations; alert on impossible travel and off-hours admin logons.
Validate backups of FortiGate configuration and AD; confirm out-of-band restore path.

5. Indicators of compromise

Type	Value	Confidence	Source
Tooling	Hashtopolis (open-source distributed hash-cracking orchestrator)	High	Diachenko / The Register
Infrastructure	45-GPU hash-cracking cluster (Hashtopolis-managed)	High	Diachenko / The Register
Attack surface	Fortinet/FortiGate SSL VPN authentication hashes	High	Diachenko / Hudson Rock
Adjacent target	Microsoft SQL Server (MSSQL) — 163,650 targets, 2.1B attempts	High	Diachenko
Lateral movement	Internal Active Directory environments	High	Diachenko
Operational artefact	Open directory exposing cron jobs, bash histories, logs, scripts, connection strings	High	Diachenko

tooling   Hashtopolis
infra     45-GPU cluster (Hashtopolis-managed)
target    Fortinet FortiGate SSL VPN authentication hashes
target    Microsoft SQL Server (MSSQL)
pivot     Internal Active Directory environments
artefact  Open directory (cron jobs, bash histories, logs, scripts, connection strings)

6. Detection

rule AT_FortiBleed_Hashtopolis_Artefacts
{
    meta
        author = "Adverse Trace"
        date = "2026-06-18"
        reference = "https://www.bleepingcomputer.com/news/security/fortibleed-leak-exposes-fortinet-vpn-credentials-for-73-000-devices/"
        description = "Detects artefacts associated with the FortiBleed Fortinet VPN credential leak operation, including Hashtopolis orchestration tooling and operational artefacts left in an exposed open directory"
    strings
        $hashtopolis_a = "Hashtopolis"
        $cron_a        = "cron jobs"
        $bash_a        = "bash histories"
        $logs_a        = "bash histories, logs"
        $scripts_a     = "tooling, scripts"
        $connstr_a     = "connection strings"
        $fortigate_a   = "FortiGate"
        $fortinet_a    = "Fortinet"
        $sslvpn_a      = "SSL VPN"
        $gpu_a         = "45-GPU"
    condition
        2 of ($hashtopolis_a, $cron_a, $bash_a, $logs_a, $scripts_a, $connstr_a, $fortigate_a, $fortinet_a, $sslvpn_a, $gpu_a)
}

title: FortiBleed — Hashtopolis or FortiGate credential-cracking tooling observed on host
id: at-2026-06-18-115-hashtopolis
status: experimental
description: |
  Detects process, command-line or file indicators consistent with the FortiBleed
  operation's use of Hashtopolis for hash cracking and adjacent brute-force tooling
  against FortiGate SSL VPN and Microsoft SQL Server targets.
author: Adverse Trace
date: 2026-06-18
reference: https://www.bleepingcomputer.com/news/security/fortibleed-leak-exposes-fortinet-vpn-credentials-for-73-000-devices/
logsource:
    category: process_creation
    product: windows
detection:
    selection_hashtopolis:
        CommandLine|contains:

            - "hashtopolis"
            - "Hashtopolis"
    selection_hashcat:
        CommandLine|contains:

            - "hashcat"
            - "john"
    selection_fortigate_brute:
        CommandLine|contains:

            - "fortigate"
            - "FortiGate"
            - "SSL VPN"
    selection_mssql_brute:
        CommandLine|contains:

            - "MSSQL"
            - "mssql"
    condition: selection_hashtopolis or selection_hashcat or (selection_fortigate_brute and selection_mssql_brute)
level: high
tags:

    - attack.credential_access
    - attack.t1110
    - attack.t1003

7. Sources

BleepingComputer — FortiBleed leak exposes Fortinet VPN credentials for 73,000 devices — https://www.bleepingcomputer.com/news/security/fortibleed-leak-exposes-fortinet-vpn-credentials-for-73-000-devices/ — 2026-06-17
The Register — Massive password-stealing attack hits 75k Fortinet firewalls — https://www.theregister.com/cyber-crime/2026/06/17/massive-password-stealing-attack-hits-75k-fortinet-firewalls/5257877 — 2026-06-17

8. Adverse Trace position

Severity: High. The leak combines verified working credentials, a confirmed AD pivot path, and an attacker-maintained targeting database covering roughly half of internet-facing Fortinet firewalls. For EMEA financial services, the immediate exposure is unauthorised remote access to the perimeter and, by extension, the internal network; the longer-term exposure is targeted follow-on intrusion using the per-target metadata in the dataset. Client impact: any in-scope entity running Fortinet SSL VPN must rotate credentials, enforce MFA and isolate management interfaces within 24 hours, and reassess Fortinet concentration risk under DORA Art. 29. Next steps: Adverse Trace will (1) monitor Fortinet PSIRT for a named CVE or firmware advisory and update this advisory accordingly, (2) track Hudson Rock and Diachenko for additional IOCs as the open-directory artefacts are analysed, and (3) support clients with credential-rotation validation, AD compromise hunting and DORA/NIS2 reporting readiness on request. Attribution to a Russian-speaking group remains unconfirmed pending corroborating intelligence.

Read the original source →

Published via PulseTrace — Adverse Trace threat intelligence.