FortiBleed Campaign: How Attackers Used Custom Sniffers to Compromise FortiGate Firewalls
A large-scale cyberattack campaign dubbed FortiBleed has sent shockwaves through the network security community. According to researchers at cybersecurity firm SOCRadar, threat actors behind the campaign deployed highly specialized, custom-built sniffers specifically engineered to harvest authentication secrets from compromised Fortinet FortiGate firewall devices. The campaign represents one of the more sophisticated credential-theft operations targeting enterprise network infrastructure in recent memory, and its implications extend far beyond the organizations already affected.
For security teams managing Fortinet environments, understanding how FortiBleed worked — and why it was so effective — is the first step toward mounting a credible defense.
What Is the FortiBleed Campaign?
FortiBleed is a targeted attack campaign focused on Fortinet FortiGate firewall appliances, which are widely deployed across enterprise, government, and critical infrastructure environments around the world. The campaign takes its name from the nature of the attack: much like older memory-leaking exploits, FortiBleed bleeds sensitive authentication data from devices that should be among the most trusted components of a network's security perimeter.
SOCRadar's research indicates that the campaign operated at significant scale, with attackers targeting a broad range of organizations that rely on FortiGate hardware for perimeter defense, VPN access, and network segmentation. The goal was clear: extract valid credentials and authentication tokens that could be used for unauthorized network access, lateral movement, and potential long-term persistence inside victim environments.
The Custom Sniffer: A Purpose-Built Threat Tool
What makes FortiBleed particularly notable from a technical standpoint is the use of a custom-built sniffer deployed directly on compromised FortiGate devices. Rather than relying on generic, off-the-shelf malware, the threat actors developed a purpose-specific tool tailored to the internals of FortiOS — the operating system that powers FortiGate appliances.
Once an attacker gained initial access to a vulnerable device, they deployed this sniffer to intercept and capture authentication data passing through the firewall. Because the sniffer operated from within the device itself, it had privileged access to traffic and processes that would normally be invisible to external monitoring tools. This inside-the-perimeter vantage point made detection extraordinarily difficult using conventional network-based security controls.
The types of authentication secrets harvested reportedly included:
- Session tokens and cookies used for management interface authentication
- VPN credentials and user authentication data
- Administrative account credentials passed during login sessions
- Potentially other sensitive configuration data stored or transmitted through the device
By operating as a native process on the FortiGate device itself, the sniffer effectively turned the organization's own security hardware into a surveillance and credential-harvesting tool — a particularly insidious form of attack that underscores the danger of unpatched network appliances.
How Attackers Gained Initial Access
The FortiBleed campaign did not emerge from nowhere. Like many large-scale attacks targeting network appliances, it appears to have relied on known vulnerabilities in FortiOS that had not been patched across a wide swath of affected devices. Fortinet has had a number of critical vulnerabilities disclosed in recent years — including authentication bypass and remote code execution flaws — that have been actively exploited in the wild before many organizations applied available patches.
The pattern is unfortunately familiar: a critical vulnerability is disclosed, a patch is released, but the lag between patch availability and actual deployment across large, complex enterprise environments leaves a window of exposure that sophisticated threat actors are well-positioned to exploit. FortiBleed appears to have taken full advantage of exactly this dynamic.
Once initial access was achieved — whether through an unpatched vulnerability, a stolen credential, or another means — the attackers moved quickly to deploy their custom sniffer and begin harvesting data before detection could occur.
Why This Campaign Is Especially Dangerous
Credential theft from network perimeter devices is particularly damaging because of what those credentials can unlock. A valid administrative credential for a FortiGate device gives an attacker the ability to reconfigure firewall rules, create new VPN accounts, disable security policies, and establish persistent backdoor access — all from what appears to be a legitimate, authorized session.
Furthermore, because FortiGate devices often sit at the boundary between an organization's internal network and the internet, compromising them can give attackers a privileged view of all traffic flowing in and out of the organization. The custom sniffer deployed in FortiBleed exploited this position to maximum effect.
The scale of the campaign also matters. When attackers harvest credentials across hundreds or thousands of organizations simultaneously, the downstream risk extends to supply chains, partner networks, and any third party that trusts the affected organizations' infrastructure.
How to Protect Your FortiGate Environment
Organizations running Fortinet FortiGate devices should treat the FortiBleed campaign as an urgent call to action. Several steps are critical to reducing exposure and remediating potential compromise.
- Patch immediately: Ensure all FortiGate devices are running the latest version of FortiOS. Review Fortinet's security advisories and apply all critical patches without delay.
- Audit administrative access: Review all administrative accounts and active sessions on FortiGate management interfaces. Revoke any unrecognized sessions and rotate credentials.
- Review VPN user accounts: Audit all VPN user accounts for unauthorized additions or modifications that could represent attacker-created persistence mechanisms.
- Enable logging and monitoring: Ensure that FortiGate logging is enabled and that logs are being forwarded to a centralized SIEM or log management solution where they can be analyzed for indicators of compromise.
- Restrict management interface access: Limit access to the FortiGate management interface to trusted IP addresses only, and disable remote management access where it is not operationally necessary.
- Conduct a compromise assessment: If you have reason to believe your devices may have been exposed, engage a qualified incident response team to conduct a thorough compromise assessment before simply patching and moving on.
The Bigger Picture: Network Appliances as High-Value Targets
FortiBleed is part of a broader and deeply concerning trend. Over the past several years, threat actors — including nation-state groups — have increasingly shifted focus toward network appliances such as firewalls, VPN concentrators, and edge routers. These devices are attractive targets precisely because they are trusted, pervasive, and often lag behind endpoints and servers in terms of patch management and security monitoring.
Appliance vendors, including Fortinet, have been working to improve transparency and response times around vulnerability disclosure. But the fundamental challenge remains: organizations must prioritize the security of their network perimeter hardware with the same rigor they apply to servers and workstations. A firewall that has been silently compromised is not a security control — it is a liability.
Final Thoughts
The FortiBleed campaign is a clear demonstration of how sophisticated threat actors have become in targeting the very devices organizations trust to protect their networks. By deploying a custom-built sniffer engineered specifically for FortiOS, the attackers behind this campaign showed both technical sophistication and patience — harvesting credentials quietly from within the perimeter rather than triggering the noisy alerts that more aggressive attacks might generate.
For defenders, the lesson is straightforward: network appliances must be patched promptly, monitored continuously, and treated as high-value targets worthy of the same security attention given to any other critical system. The FortiBleed campaign will not be the last of its kind, and organizations that fail to adapt to this threat landscape will remain exposed to exactly these kinds of deeply consequential attacks.