Fortinet Responds to FortiBleed Campaign: 86,000 Credentials Exposed
Fortinet, one of the world's leading cybersecurity vendors, has been forced to publicly respond to a large-scale credential-harvesting operation now widely referred to as the FortiBleed campaign. At the center of this incident is a database containing over 86,000 confirmed, working credentials — all scraped from Fortinet devices by threat actors exploiting known vulnerabilities. The scale and severity of this breach have sent shockwaves through the enterprise security community, raising urgent questions about patch management, device hygiene, and the ongoing risks posed by unpatched network appliances.
What Is the FortiBleed Campaign?
The FortiBleed campaign refers to a coordinated credential-harvesting operation that targeted Fortinet's networking and security devices — most notably FortiGate firewalls and SSL VPN appliances. Threat actors systematically exploited vulnerabilities in these devices to extract configuration files and, crucially, valid login credentials. The resulting database, which contains more than 86,000 confirmed working credentials, was subsequently shared or circulated among cybercriminal communities, dramatically widening the exposure beyond the original attack surface.
The name "FortiBleed" is a nod to high-profile information-disclosure vulnerabilities of the past, most famously Heartbleed, which similarly allowed attackers to read sensitive memory data from unpatched systems. In the case of FortiBleed, the attack vector centers on exposed management interfaces and known CVEs that many organizations had failed to patch in time.
How Were the Credentials Harvested?
According to cybersecurity researchers and Fortinet's own communications, the credential harvesting was made possible by the exploitation of previously disclosed vulnerabilities in FortiOS — the operating system that powers FortiGate devices. One of the most significant vulnerabilities associated with this class of attack is CVE-2022-40684, an authentication bypass flaw that allowed unauthenticated attackers to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
In practice, this meant attackers could:
- Access device configuration files without valid credentials
- Extract plaintext or recoverable credentials stored within those configuration files
- Establish persistent access to compromised devices for later use
- Compile harvested data into large, structured databases for sale or distribution on dark web forums
The fact that over 86,000 credentials were confirmed as working at the time of the database's compilation suggests that a significant number of Fortinet customers had not applied available patches — even long after those patches were publicly released and heavily promoted by Fortinet and the broader security community.
Fortinet's Official Response
In response to the campaign, Fortinet has acknowledged the incident and urged all customers to take immediate remediation steps. The company has emphasized that the vulnerabilities exploited during the FortiBleed campaign are not new zero-days — they are known, patched flaws. Fortinet's core message is that organizations that have kept their devices up to date with the latest firmware and security patches are not at risk from this specific credential database.
Fortinet has recommended that affected organizations take the following steps without delay:
- Update all FortiGate and FortiOS devices to the latest available firmware version immediately
- Treat all existing credentials on potentially affected devices as compromised and reset them across the board
- Disable internet-facing management interfaces wherever they are not absolutely necessary
- Review firewall rules and VPN configurations for signs of unauthorized changes or suspicious activity
- Enable multi-factor authentication (MFA) on all administrative accounts and VPN access points
- Monitor logs carefully for anomalous login attempts, configuration changes, or lateral movement indicators
Fortinet has also provided indicators of compromise (IoCs) and technical guidance through its Product Security Incident Response Team (PSIRT), which organizations can use to assess whether their specific devices were targeted during the campaign.
Why This Campaign Is a Wake-Up Call for Enterprise Security
The FortiBleed campaign is not simply a Fortinet problem — it is a symptom of a much broader and deeply entrenched challenge in enterprise cybersecurity: the failure to patch known vulnerabilities in a timely manner. Time and again, major breaches and credential leaks trace back not to sophisticated zero-day exploits, but to well-documented vulnerabilities that were never remediated.
Network appliances like firewalls and VPN gateways are particularly high-value targets for attackers precisely because they sit at the perimeter of corporate networks. A compromised firewall does not just expose one user's data — it can open the door to an entire organization's internal infrastructure, enabling ransomware deployment, data exfiltration, supply chain attacks, and more.
The sheer volume of credentials in the FortiBleed database — 86,000 and confirmed working — underscores the alarming number of organizations that remain vulnerable long after patches are made available. This creates a rich harvesting ground for threat actors who scan the internet for exposed management interfaces and known vulnerable firmware versions.
Best Practices to Protect Your Organization Going Forward
Whether or not your organization uses Fortinet products, the FortiBleed campaign offers universal lessons for strengthening your security posture. Consider implementing the following best practices as a baseline:
- Patch aggressively and consistently: Establish a rapid patching policy for all network-facing devices, particularly those running perimeter security functions. Prioritize critical and high-severity CVEs.
- Restrict management interface access: Never expose device management interfaces directly to the public internet. Use jump hosts, out-of-band management networks, or strict IP allowlisting.
- Implement zero-trust principles: Do not rely solely on perimeter devices to enforce security. Assume breach and apply least-privilege access controls throughout your environment.
- Deploy MFA everywhere: Multi-factor authentication significantly reduces the risk posed by stolen credentials, even when those credentials are confirmed as valid.
- Conduct regular audits: Periodically audit device configurations, user accounts, and access logs to identify and remediate unauthorized changes before they escalate.
- Invest in threat intelligence: Subscribe to vulnerability feeds and threat intelligence services that provide early warning of active exploitation campaigns targeting the technologies you use.
Conclusion
The FortiBleed campaign serves as a stark and costly reminder that unpatched vulnerabilities are not theoretical risks — they are active, exploited attack vectors with real-world consequences. The exposure of over 86,000 working credentials from Fortinet devices is a direct result of delayed patching and poor device hygiene across a wide range of organizations. Fortinet's response makes clear that the tools to prevent this damage were available; the challenge was getting organizations to use them in time.
For security teams everywhere, the message is unambiguous: patch your perimeter devices, harden your management interfaces, reset potentially compromised credentials, and build the operational discipline to respond faster when the next critical vulnerability is disclosed. The threat actors behind campaigns like FortiBleed are counting on delayed responses — do not give them the time they need.