Key Takeaways:
A sprawling credential-harvesting campaign has compromised more than 73,000 Fortinet firewall and VPN gateway URLs across 194 countries, giving attackers persistent access to some of the world's largest enterprises.
Cybercriminals have systematically breached tens of thousands of Fortinet devices used by companies including Foxconn, Samsung, Siemens, Lenovo, Oracle, PwC, Accenture and Comcast, according to reports from cybersecurity firms SOCRadar and Hudson Rock. The campaign, dubbed FortiBleed, relies not on zero-day exploits but on credential reuse and password spraying against exposed Fortinet management and VPN interfaces.
"The attackers scan the internet for Fortinet devices, try a curated list of known passwords against each one, and record every successful login," SOCRadar said in a report published June 16. "Once a device is compromised, they use it as a listening post, monitoring traffic passing through and collecting any additional credentials that flow by."
SOCRadar identified more than 30,791 compromised devices spanning 21,108 unique IP addresses and 8,316 unique domains across government, telecommunications, healthcare, education, financial services and critical infrastructure sectors. Hudson Rock's analysis put the figure higher at 73,932 unique Fortinet URLs, based on a dataset first flagged by security researcher Volodymyr Diachenko. The attackers executed an estimated 1.16 billion credential-based attempts against more than 320,000 FortiGate targets while simultaneously launching 2.1 billion brute-force attempts against 160,000 MSSQL servers.
The operation's technical sophistication extends beyond simple credential stuffing. Once inside a device, attackers intercept SSL VPN authentication hashes and crack them offline using a dedicated 45-GPU cluster managed via Hashtopolis, according to Hudson Rock. Compromised devices then serve as listening posts that harvest additional credentials from traversing traffic, creating a self-reinforcing cycle of unauthorized access. India and the US accounted for nearly one-third of all identified credential compromises, with telecommunications bearing the brunt at more than 5,600 devices and government agencies representing 591 compromised systems across 111 domains.
A self-sustaining attack machine
The attackers left an operational server exposed, giving researchers visibility into their infrastructure and victim database. SOCRadar said technical evidence points to Russian-speaking threat actors, noting that victim selection was "heavily weighted toward organizations in NATO member countries." Among the recovered data were credentials for what appears to be a defense industry VPN endpoint, suggesting motives beyond purely financial gain.
The campaign's most striking feature is what it lacks: any exploited Fortinet vulnerability. "There's no zero-day, no exploit, no actual 'bleed,'" said Waseem Ahmed, head of engineering at Secure.com. "Despite the name, this isn't a vulnerability but a pile of credentials leaked in earlier Fortinet breaches, fired back at organizations that never bothered to change them."
Separately, security firm Defused has observed active exploitation of three recently patched Fortinet FortiSandbox vulnerabilities — CVE-2026-39808, CVE-2026-39813 and CVE-2026-25089 — in attacks that began appearing on honeypots in June. The first two were rated critical and patched in April; the third was addressed in Fortinet's June Patch Tuesday update. Defused noted that the exploit for CVE-2026-25089 appeared to have been created using AI and initially did not function when first observed.
Investor implications
Fortinet shares face headwinds as the scale of the FortiBleed campaign raises questions about the company's product security posture and customer trust. Enterprise organizations generating more than $1 billion in annual revenue accounted for more than 20 percent of affected devices, per SOCRadar — precisely the customer base that drives Fortinet's high-margin recurring revenue. The company's firewall and VPN gateways are among the most widely deployed network security appliances globally, making them a persistent target. Hudson Rock launched a verification portal for organizations to check whether their domains appear in the compromised dataset, and SOCRadar urged affected companies to "treat your network perimeter as already compromised and act immediately."
This article is for informational purposes only and does not constitute investment advice.
