FortiBleed: The Industrial-Scale Exploitation of 70,000 Fortinet Firewalls via Offline Cracking and Legacy Hashes

A massive cyber espionage operation, colloquially termed “FortiBleed,” has fundamentally shaken the enterprise security landscape. The campaign has successfully compromised over 70,000 Fortinet firewalls and VPN gateways, creating a massive security vacuum across 194 countries. This is not merely a collection of isolated breaches; it represents a highly coordinated, industrial-scale exploitation of internet-facing edge infrastructure.

The campaign was first identified by security researcher Volodymyr Diachenko and has since undergone deep forensic analysis by Hudson Rock and security expert Kevin Beaumont. The scale of the exposure is staggering: the attackers have compiled a dataset of 73,932 unique firewall URLs mapped to 21,632 distinct domains. This represents nearly 50% of all publicly accessible Fortinet devices, marking one of the most significant perimeter failures in recent cybersecurity history.

The Mechanics of the FortiBleed Exploit

The attack vector relies on a sophisticated combination of automated reconnaissance and high-performance offline cracking. The threat actors utilized automated scanning tools to locate Fortinet devices with exposed management interfaces. Once identified, they moved to exfiltrate device configuration files—a critical failure point that turned a remote vulnerability into a massive credential leak.

By obtaining these configuration files, the attackers bypassed the standard “live” authentication hurdles. Traditional brute-force attacks are often stymied by rate-limiting and account lockout policies enforced by the firewall. However, by moving the attack offline, the threat actors could run unlimited password attempts against the captured hashes without triggering any network-level defenses.

The sheer computational volume of this operation is unprecedented. Investigators estimate that attackers launched approximately 1.16 billion credential attempts against more than 320,000 FortiGate systems. Simultaneously, they directed a massive secondary wave of 2.1 billion brute-force attempts toward Microsoft SQL servers, likely seeking to pair administrative network access with database dominance.

Infrastructure and the “Legacy Hash” Vulnerability

The campaign is attributed to a Russian-speaking threat group utilizing highly professionalized infrastructure. Most notably, they manage a dedicated 45-GPU cracking cluster via Hashtopolis, a distributed cracking framework, to maximize the speed of their password recovery efforts.

A critical technical nuance in this breach involves how credentials were stored. While Fortinet introduced more robust PBKDF2-based hashing in early 2025 to mitigate such risks, a large volume of devices remained vulnerable. Many administrators had patched their systems but failed to perform a full re-authentication. Consequently, these devices continued to utilize older, weaker SHA-256 salted hashes. This “security debt” allowed attackers to crack credentials with far greater efficiency once the configuration data was exfiltrated.

Beyond local management credentials, the attackers also intercepted SSL VPN authentication hashes. This allowed them to bridge the gap between perimeter access and internal network movement, effectively turning a firewall breach into a full-scale enterprise takeover.

Impact: From Corporate Giants to National Security

Post-compromise telemetry shows that the attackers were not content with mere entry. Once administrative access was secured, they pivoted into Active Directory (AD) environments to escalate privileges, establish persistent backdoors, and begin large-scale data exfiltration. The intelligence suggests a highly structured operation, likely functioning as an Initial Access Broker (IAB), where victims are categorized by sector, revenue, and geography to be sold to the highest bidder on the dark web.

The fallout is global and includes high-value targets in Japan, Taiwan, Vietnam, Iraq, and Turkey. Notably, a Turkish NATO contractor was hit, with reports indicating the theft of classified defense documentation. The list of compromised organizations includes household names and industry leaders such as Samsung, Siemens, Lenovo, PwC, Accenture, Comcast, and Oracle.

One of the most sobering findings from the attacker logs is that even highly complex, long passwords were successfully cracked. This underscores a hard truth in modern security: password strength is a secondary defense once the underlying hash or configuration file has been exfiltrated.

Immediate Remediation and Defense Strategy

Security professionals should not treat FortiBleed as a theoretical threat, but as an active, ongoing compromise scenario. Organizations utilizing Fortinet hardware must move beyond simple patching and implement the following technical mitigations:

• Isolate Management Interfaces: Immediately remove all public-facing access to FortiGate management interfaces. Use a dedicated, out-of-band management network or a strictly controlled VPN.
• Enforce Full Credential Rotation: Do not simply change passwords; you must ensure that all credentials are rehashed using the modern PBKDF2 standard. This is often achieved by requiring all administrators to log out and back in following a firmware update.
• Assume Persistence: Because attackers have demonstrated the ability to pivot into Active Directory, organizations must conduct thorough forensic audits to check for unauthorized service accounts, new domain admin users, or unusual scheduled tasks.
• Mandate Multi-Factor Authentication (MFA): MFA must be enforced across all access points—both at the perimeter and for internal lateral movement—to neutralize the utility of stolen credentials.
• Monitor Threat Intelligence: Continuously cross-reference your internal credential sets against known dark web leaks and threat intelligence feeds to detect compromised accounts early.