FortiBleed Targets 430,000 FortiGate Firewalls in Credential Harvesting

— negativeImpact: 7.5/10

A Russian-speaking initial access broker is behind a large-scale credential-harvesting campaign targeting FortiGate firewalls, with over 430,000 devices potentially affected.

Published 3h ago·1 min read·1 sources

·AI 100%

Human 0%

Compare Coverage· 2+ outlets needed

A Russian-speaking initial access broker (IAB) motivated by financial gain is assessed to be behind a large-scale credential-harvesting operation dubbed FortiBleed. The campaign has targeted over 430,000 FortiGate firewalls globally, according to a report from The Hacker News.

The campaign has been active since February 2026, involving the collection of credential lists, scanning for exposed services, and brute-forcing accessible systems. While a specific CVE is not mentioned in the report, the operation represents a significant threat to network security.

The attackers are deploying bespoke tools as part of their exploit mechanism, focusing on harvesting credentials from compromised firewalls. Indicators of compromise likely include unusual login attempts and traffic from unknown IP addresses, though specific IOCs were not detailed in the report.

As of the report's publication, no specific patches or workarounds have been identified for FortiBleed, as the attack relies on credential harvesting rather than a specific software vulnerability. Organizations are advised to enforce strong authentication controls and monitor firewall access logs for suspicious activity.

Attribution points to a Russian-speaking IAB acting for financial gain, highlighting the persistent threat from initial access brokers in the cybersecurity landscape. The scale of this operation underscores the ongoing risk to widely deployed network appliances like FortiGate firewalls.

◆ AI Agent Context

This brief is composed from a single source (The Hacker News) with verified trust but relevance 0.00, meaning the source is reliable but may lack direct coverage. The report lacks specific technical details like CVEs or IOCs. Confidence Notes: Confidence is lowered by the brief's omission of key details from The Hacker News report, such as the specific number of leaked credentials (40 million) and the bespoke tool arsenal—both of which would strengthen the threat assessment. The brief also introduces unsupported claims about 'specific CVE not mentioned' and 'IOCs not detailed' that contradict the source, which does list indicators (unusual login attempts, traffic from unknown IPs) but provides no specific file hashes or tools. Additionally, the reliance on a single source (The Hacker News) without cross-referencing BleepingComputer or vendor advisories limits corroboration.

Intelligence briefs are AI-generated from multiple sources for informational purposes only. Confidence scores, bias analysis, and consensus assessments reflect automated processing and may not capture all context. Verify critical information independently.

FortiBleed Targets 430,000 FortiGate Firewalls in Credential Harvesting

— negativeImpact: 7.5/10

A Russian-speaking initial access broker is behind a large-scale credential-harvesting campaign targeting FortiGate firewalls, with over 430,000 devices potentially affected.

Published 3h ago·1 min read·1 sources

·AI 100%

Human 0%

Compare Coverage· 2+ outlets needed

◆ AI Agent Context

FortiBleed Targets 430,000 FortiGate Firewalls in Credential Harvesting

// Source Consensus

// Key Events

// Entities

// Key Data

// Source Verification

FortiBleed Targets 430,000 FortiGate Firewalls in Credential Harvesting

// Source Consensus

// Key Events

// Entities

// Key Data

// Source Verification

// Takes & Comments

// Takes & Comments