Full Report
FortiBleed — 75k Fortinet firewalls have admin passwords crackedAn interesting post popped up on LinkedIn at the weekend from Voldymyr Diachenko saying plain text passwords were found in the wild by Hunt Intelligence Inc for Fortinet firewalls:This is similar to the Belsen Group incident, which I revealed last year:2022 zero day was used to raid Fortigate firewall configs. Somebody just released them.I’ve had a look at the data, with the help of the folks at Hudson Rock, and can confirm:The data is legit. It is around 75k devices. Almost all are still online, and Fortinet devices. It appears to be recent data.The data appears to have come from exports of config from the devices, as it includes things which are only visible from the device itself.The IP addresses are largely different to the Belsen Group leak, which was 15k devices. It includes mostly devices not in the Belsen Group leak, and in this case most of the devices are still online — this isn’t data from 2022.I have worked with several orgs listed, and can confirm the logins and passwords are real. Many of the devices sampled are on fairly recent patches.The data comprises of roughly 50% of all Fortinet firewall devices facing the internet, based on polling from Shodan.In a majority of cases, the Fortigate Management Interface is exposed to the internet on impacted devices.What could attackers do this this information?They can log in remotely and gain remote access to the firewall — and so the network. They can also change settings, including security controls and make backdoor users.How did this happen?It is currently unclear. With the Belsen Group incident, a 2022 zero day was used to dump the configs, with the data published much later in 2025.With this, it is unclear how the configs were exported or devices accessed. It may be from one of the many, many known CVEs for Fortinet firewalls — or it may be a new vulnerability — keep tuned for updates.Fortinet tried to harden the storage of admin credentials in early 2025, after my prior blog:You’ll note the move to PBKDF2 storage of credentials. This happened in recent firmware updates applied during the past 12 or so months — and only if admins each logged in after applying the updates.As such, many devices would have have storing credentials in SHA-256 with Salt — which is vulnerable to bruteforce to gain passwords from stolen config files.What orgs should do?Check you are impacted. Do that here: https://www.hudsonrock.com/fortinetEnter your domain name(s). If you are impacted:rotate admin credentials immediately and look for prior logins to said usersif you see suspect success logins to admin users, I would suggest replacing the device as they may have altered settings to backdoor a deviceupgrade to the latest FortiOS release, and have admins log back in to change passwordsdo not expose the FortiOS management interface to the internet unless absolutely necessaryimplement multi-factor authentication on all admin usersassume compromise. It is unclear where Hunt Intelligence obtained the data from and how long it has been in circulation, however it is formatted in a way which looks like an eCrime gang — e.g. it lists the type of company, their revenue and country. This is a very common format in eCrime circles when selling initial access information.UpdatesYou can follow me on Mastodon if you wish (to suffer, I guess):Kevin Beaumont (@[email protected])FortiBleed — 75k Fortinet firewalls have admin passwords cracked was originally published in DoublePulsar on Medium, where people are continuing the conversation by highlighting and responding to this story.
Analysis Summary
# Incident Report: Project FortiBleed (Mass Credential Leak)
## Executive Summary
Approximately 75,000 Fortinet firewall administration credentials and configuration exports were discovered leaked in the wild, appearing in a format typical of eCrime initial access brokers. The leak impacts roughly 50% of internet-facing Fortigate devices, many of which had management interfaces exposed. Immediate remediation including credential rotation, firmware updates, and MFA implementation is required to prevent full network compromise.
## Incident Details
- **Discovery Date:** June 2026 (Reported by Voldymyr Diachenko/Hunt Intelligence Inc)
- **Incident Date:** Recent (Post-2025 data based on firmware analysis)
- **Affected Organization:** Global (75,000 distinct devices)
- **Sector:** Multi-sector (Includes eCrime metadata such as revenue and industry)
- **Geography:** International
## Timeline of Events
### Initial Access
- **Date/Time:** Undetermined (Likely occurred in the months leading up to June 2026)
- **Vector:** Unclear; suspected use of known CVEs or a potential new vulnerability.
- **Details:** Attackers obtained full configuration exports. Many devices were running firmware using SHA-256 with Salt for credential storage, which is susceptible to offline brute-forcing once the config file is stolen.
### Lateral Movement
- **Details:** While the report focuses on the leak, the availability of admin credentials allows attackers to establish remote access to the internal network through the compromised firewall.
### Data Exfiltration/Impact
- **Details:** 75,000 configuration files containing plain-text or easily crackable passwords were stolen and organized into a database for sale/distribution.
### Detection & Response
- **Discovery:** Hunt Intelligence Inc and Hudson Rock identified the data leak in eCrime circles.
- **Response Actions:** Public disclosure by security researchers (Kevin Beaumont); provision of a lookup tool by Hudson Rock for organizations to check their domain.
## Attack Methodology
- **Initial Access:** Exploitation of firewall vulnerabilities (Known CVEs or Zero-Day) to export device configurations.
- **Persistence:** Creation of backdoor users (potential) once admin access is gained.
- **Credential Access:** Offline brute-forcing of stolen configuration files containing SHA-256 salted hashes.
- **Discovery:** Mass scanning for internet-exposed Fortigate Management Interfaces (Shodan polling).
- **Impact:** Complete administrative control over the perimeter security device.
## Impact Assessment
- **Financial:** High potential for ransomware or extortion given the inclusion of company revenue in the leaked data.
- **Data Breach:** Exposure of 75,000 administrative credentials and internal network configuration details.
- **Operational:** Potential for attackers to shut down security controls or disable network connectivity.
- **Reputational:** High-profile leak affecting nearly 50% of the brand's internet-facing footprint.
## Indicators of Compromise
- **Network indicators:** Logins from unauthorized/unrecognized IP addresses to the FortiOS Management Interface.
- **Behavioral indicators:** Success logins for admin users during non-business hours; unauthorized creation of new administrative accounts; unexplained changes to firewall policy or routing.
## Response Actions
- **Containment:** Disable the FortiOS management interface from facing the public internet.
- **Eradication:** Rotate all administrative credentials immediately. Upgrade firmware to the latest release to move credential storage to PBKDF2.
- **Recovery:** Audit all configuration changes made recently. If suspicious activity is found, consider a full factory reset or device replacement to ensure no persistence remains.
## Lessons Learned
- **Vulnerability of Management Interfaces:** Exposing administrative interfaces to the public internet remains the primary catalyst for mass-scale exploitation.
- **Legacy Hashing Risks:** Even patched devices remain vulnerable if the passwords were not changed *after* the patch to trigger the migration to stronger hashing (PBKDF2).
- **Metadata Context:** eCrime groups are increasingly professionalized, enriching leaked data with financial info (revenue) to prioritize high-value targets.
## Recommendations
- **Zero Trust/VPN:** Only allow management access via a trusted VPN or internal "jump box."
- **Mandatory MFA:** Enable Multi-Factor Authentication for all administrative accounts.
- **Patch Management:** Ensure firmware is updated immediately, followed by a mandatory password reset for all admins to ensure cryptographic hardening is applied to the stored credentials.
- **Monitoring:** Implement centralized logging for all firewall administrative actions to detect unauthorized changes.