Fortinet Addresses FortiBleed Vulnerability with Security Update

Post Views: 10

Fortinet’s FortiBleed campaign has collected 86,000 credentials across 194 countries using brute-force and past exposures, with no new vulnerabilities involved.

Overview of the FortiBleed Campaign

Fortinet has stated that the ongoing credential-harvesting campaign targeting its firewall and VPN systems does not involve newly discovered vulnerabilities. The operation, designated FortiBleed, has resulted in the collection of 86,000 verified login credentials for Fortinet devices across 194 countries.

Exploited Vulnerabilities and Attack Methods

The attack leverages previously exposed credentials from past incidents combined with brute-force methods against systems with weak authentication practices and no multi-factor authentication (MFA) implementation. The earlier incidents referenced by Fortinet involved the exploitation of three FortiCloud single sign-on (SSO) authentication bypass flaws: CVE-2026-24858, which was resolved in January, and CVE-2025-59718 and CVE-2025-59719, addressed in December.

According to the company, the attack leverages previously exposed credentials from past incidents combined with brute-force methods against systems with weak authentication practices and no multi-factor authentication (MFA) implementation.

Mitigation and Recommendations

Fortinet emphasized that detailed mitigation guidance was provided during these advisories and reiterated its recommendation for customers to complete all remediation steps. In March, the vendor highlighted the use of artificial intelligence by threat actors to automate target selection and execute password-spraying attacks against inadequately secured edge devices. FortiBleed employs similar tactics, according to the company, without relying on any newly identified Fortinet-specific vulnerabilities.

Fortinet clarified that this activity is unrelated to recent security advisories or incidents.

The organization has identified affected systems and initiated notifications to impacted customers. It is also collaborating with law enforcement to investigate the attacks. Affected FortiGate users are advised to terminate administrative and VPN sessions, reset credentials, enforce MFA for all admin and VPN accounts, and update to software versions that support PBKDF2 hashing for administrator credentials.

Broad Implications and Industry Response

Additional measures include auditing firewall and VPN user accounts and configurations for unauthorized modifications, reviewing logs for unauthorized administrative access, and limiting external management to trusted hosts to minimize exposure. The campaign underscores the persistent threat of credential-based attacks, with threat actors exploiting weak password policies and outdated security practices.

Security experts continue to emphasize the need for robust authentication protocols and timely patch management to counter evolving threats.

Fortinet’s response highlights the importance of proactive mitigation strategies, including regular software updates, MFA implementation, and continuous monitoring of system access logs. The incident follows broader trends of cybercriminals leveraging automation and AI to scale attacks, targeting infrastructure with insufficient protective measures.