335/69 Monday, June 22, 2026
Reports indicate that FortiBleed has exposed a large-scale attack campaign that attempted to log in to Fortinet VPNs through billions of Credential Spraying attempts, resulting in compromises of multiple organizations worldwide. The incident was discovered by Volodymyr “Bob” Diachenko, a researcher from SecurityDiscovery.com, after the attackers’ infrastructure was exposed on the internet in June 2026. Reports indicate that the threat actors did not target a specific organization, but operated at an industrial scale by scanning more than 320,000 FortiGate SSL VPN endpoints and more than 247,000 Sophos user portals. They then used thousands of basic username and password combinations to conduct a massive number of login attempts.
Based on the discovered data, the attackers used a dedicated tool named forticheck to perform Credential Spraying against FortiGate, generating approximately 1.16 billion login attempt combinations. At the same time, a parallel campaign targeted more than 163,000 MSSQL servers with over 2.1 billion login attempts. Once the attackers gained access to a target’s infrastructure, they deployed network sniffing tools to collect credentials transmitted through unencrypted or insufficiently protected protocols, such as HTTP, FTP, SMTP, LDAP, and other protocols. They also captured Kerberos and NTLM hashes for cracking using high-performance computing infrastructure, before using the obtained credentials to gain further access to systems, such as hijacking VPN sessions and accessing Active Directory.
Reports indicate that the attack dataset covered 73,932 publicly exposed FortiGate devices across 21,613 organizations in 207 countries. High-risk sectors included IT service providers, telecommunications, financial services, and government agencies. It was also claimed that at least four organizations had been fully compromised in several countries, including Japan, Taiwan, Vietnam, Iraq, and Turkey. However, some of the information remains based on the researcher’s assessment and has not yet been independently confirmed. Administrators using FortiGate should reduce direct internet exposure of management interfaces and SSL VPN services, update FortiOS, change passwords for all administrator and local accounts, revoke active VPN sessions, and check whether employee credentials may have been leaked by infostealers in order to limit the risk of credential reuse in follow-on attacks.