Sentinel Brief

FortiBleed: 86,644 Fortinet Firewalls Exposed

network firewall server rack hardware data center - a blue and black machine

Photo by U. Storsberg on Unsplash

This editorial analysis draws on original reporting by Google News, supplemented by technical advisories from CISA, SOCRadar, and Arctic Wolf published between June 13 and July 3, 2026.

The Threat: Half the Internet's Fortinet Perimeter

86,644. That is the confirmed count of Fortinet FortiGate firewalls compromised in a single coordinated campaign that began no later than February 2026 — a figure that, as of July 3, 2026, represents roughly half of every internet-facing FortiGate appliance on the planet. The threat actor responsible did not need a zero-day exploit. The weapon was simpler and, in many ways, harder to remediate: credential hygiene failure at industrial scale, accelerated by a 45-GPU Hashtopolis cluster (a distributed password-cracking tool) deployed at a compute scale previously associated with AI model training infrastructure.

The campaign surfaced publicly on June 13, 2026, when security researcher Volodymyr Diachenko discovered an exposed threat actor server holding the full dataset. SOCRadar was first to attribute FortiBleed to the INC and Lynx ransomware operations — a linkage confirmed when an operator was observed simultaneously logged into both INC Ransom and Lynx negotiation panels, with victim overlap between FortiBleed-linked servers and INC infrastructure validated directly. CISA issued an emergency advisory on June 18, 2026; UK NCSC and Fortinet PSIRT warnings followed within six days. By early July 2026, at least 354 confirmed FortiGate intrusions and a minimum of 12 ransomware deployments had been documented.

The underlying reconnaissance operation puts the blast radius in sharper focus: attackers scanned 59.3 million hosts, fingerprinted over 437,000 FortiGate devices, and harvested more than 105 million credentials using fully automated tooling. The 86,644 confirmed compromises are the visible surface of an operation still running.

Blast Radius — Who Should Actually Be Worried

Any organization running a Fortinet FortiGate appliance or SSL VPN gateway that has not forced complete credential rotation since its last FortiOS upgrade should treat its network perimeter as potentially already compromised. That qualifier is not boilerplate caution — it is the precise failure mode that made FortiBleed possible at this scale.

Arctic Wolf's technical investigation identified the root cause. When organizations upgrade to FortiOS versions implementing stronger PBKDF2 password hashing, existing administrator credentials remain stored as legacy SHA-256 hashes until those administrators manually log in post-upgrade and trigger automatic rehashing. Shops that applied the FortiOS update, confirmed the patch status, and moved on left years of admin credentials sitting in the weaker hash format — directly crackable by the Hashtopolis cluster the attackers deployed. A 45-GPU setup processing SHA-256 hashes can recover moderately complex passwords in hours, not days. The upgrade created a false sense of remediation while the underlying credential exposure remained fully intact.

Two prior CVEs amplify the threat surface. CVE-2022-40684 (CVSS 9.8) — a critical path traversal flaw in FortiOS — allowed unauthenticated attackers to read and modify device configurations including administrator credentials, and likely contributed to the initial credential pool feeding FortiBleed. CVE-2026-24858 (CVSS 9.8), a FortiCloud SSO SAML authentication bypass disclosed by Fortinet in January 2026, remains under investigation for its potential role in a subset of initial access cases.

As of July 3, 2026, credentials from approximately 430,000 FortiGate firewalls are actively feeding ransomware deployment pipelines. INC Ransom has claimed more than 800 victims since July 2023; Lynx has accumulated nearly 300 confirmed victims since July 2024. Both operations now hold authenticated access to credentials harvested from tens of thousands of compromised network perimeters.

Ransomware Victim Counts Linked to FortiBleed (July 2026) INC Ransom (since July 2023) 800+ Lynx (since July 2024) ~300 FortiBleed (confirmed intrusions) 354 0 400 800

Chart: Confirmed victim counts for INC Ransom, Lynx, and FortiBleed-attributed intrusions as of July 2026. Bars are proportional on a 0–800 scale. Sources: SOCRadar, CISA.

cybersecurity threat intelligence screen dashboard analyst - a computer screen with a bar chart on it

Photo by 1981 Digital on Unsplash

Why the Defense Stack Has to Change, Not Just the Patch Status

SOCRadar stated it plainly in their FortiBleed analysis: "FortiBleed has no CVE and no patch to apply. It is not a single software vulnerability. It is a credential exposure built from stolen FortiGate configuration files, credential reuse, and offline hash-cracking. If your organization uses a Fortinet FortiGate firewall or SSL VPN product and appears in this dataset, treat your network perimeter as already compromised and act immediately." A system running the current FortiOS build with SHA-256-hashed legacy admin passwords is still a compromised system waiting for the cracking cluster to catch up.

Three control layers require simultaneous attention — and none of them is "verify patch status."

Tech controls: CISA's June 18, 2026 advisory directs affected organizations to immediately terminate all active SSL VPN sessions, force-reset all administrator and VPN user credentials, and enforce phishing-resistant MFA (multi-factor authentication using FIDO2 hardware security keys or certificate-based methods — not SMS codes, which remain interceptable at the network level) on all administrative interfaces. Configuration audits should cover the February–June 2026 window and target unrecognized admin accounts, modified SSL VPN policies, and anomalous outbound connections.

Process controls: The SHA-256 persistence problem is a post-upgrade checklist failure at enterprise scale. Security teams need a documented, evidenced control requiring manual administrator re-login immediately following any authentication subsystem upgrade — that single action triggers rehashing. Incident response runbooks should be updated to include credential rehashing verification as a required post-upgrade gate, not optional documentation. The organizations that missed this step trusted the patch summary more than the implementation detail.

People controls: Attackers began scanning and fingerprinting Fortinet infrastructure in February 2026. CISA's advisory came in June. That four-month gap is the operational cost of reactive detection. Active threat intelligence — continuously monitoring for indicators that your specific infrastructure is being targeted — compresses that window significantly. This pattern of automated reconnaissance preceding mass exploitation is consistent with what AI Agents News documented in the MCP Tool Poisoning campaign, where automated credential attacks outran organizational detection by months.

The 45-GPU Hashtopolis cluster carries a specific implication for security architecture that extends beyond FortiBleed. The same GPU hardware driving AI training workloads is now routinely weaponized for offline credential cracking at a scale and cost structure that makes it accessible to mid-tier ransomware operations. SHA-256-hashed credentials of any reasonable complexity should now be treated as effectively recoverable by sophisticated threat actors within days of interception. That is a data protection assumption that needs to change across the industry — Fortinet customers are the current blast radius, but the tooling is not Fortinet-specific.

Ship This Control Today

One action. Not a 30-item checklist. Force complete credential rotation on every FortiGate appliance and SSL VPN gateway, then verify that post-upgrade password rehashing has completed under the current FortiOS PBKDF2 implementation.

In practice: every administrator logs into each FortiGate appliance after the latest FortiOS upgrade — this is the manual action that triggers rehashing and it does not happen automatically at upgrade time. All SSL VPN user credentials are invalidated and reset. Phishing-resistant MFA is enabled on every administrative interface. FortiOS logs for February–June 2026 are pulled and reviewed for anomalous sessions, configuration changes, and unfamiliar outbound connections. CISA's June 18, 2026 emergency advisory is the authoritative operational checklist — use it directly, not a vendor's summarized version of it.

In my analysis, the most dangerous organizations in the FortiBleed dataset are not the ones that never updated FortiOS. They are the ones that updated, confirmed patch status, and assumed the credential risk was resolved. When I examine how the SHA-256 persistence mechanism actually works, this incident makes a structural argument: "system patched" and "credentials verified under current hash algorithm" are different security controls, and treating them as a single checkbox is precisely how 86,644 firewalls become a ransomware blast radius.

Frequently Asked Questions

What is FortiBleed and why is it different from a normal software vulnerability?

FortiBleed is a credential exposure campaign that compromised 86,644 Fortinet FortiGate firewalls and SSL VPN gateways across 194 countries. Unlike a traditional software vulnerability, it carries no CVE identifier and has no available software patch. The exposure resulted from stolen device configuration files, credential reuse, and offline cracking of SHA-256-hashed passwords. SOCRadar confirmed explicitly: "FortiBleed has no CVE and no patch to apply. It is not a single software vulnerability." It is a credential hygiene and identity security failure that patching FortiOS alone cannot reverse.

Is FortiBleed a CVE vulnerability, and does patching FortiOS resolve the exposure?

No CVE has been assigned to FortiBleed. Two related CVEs — CVE-2022-40684 and CVE-2026-24858, both rated CVSS 9.8 — may have contributed to initial credential harvesting in some affected environments, but FortiBleed itself is not a patchable code flaw. Applying the latest FortiOS release does not remediate the exposure if administrator passwords were not reset post-upgrade to trigger rehashing from SHA-256 to PBKDF2. Patching is necessary but insufficient without a completed, verified credential rotation on all appliances.

How does FortiBleed work technically, and what role does SHA-256 password hashing play?

Attackers scanned 59.3 million hosts, fingerprinted over 437,000 FortiGate devices, and harvested more than 105 million credentials from stolen configuration files. Many of those credentials were stored as SHA-256 hashes — a weaker format that persists in FortiGate systems even after an organization upgrades to FortiOS versions using stronger PBKDF2 hashing, because rehashing only occurs when an administrator manually logs in post-upgrade. Attackers deployed a 45-GPU Hashtopolis cluster to crack those SHA-256 hashes offline, recovering plaintext credentials usable for direct network and VPN authentication.

How can I check if my FortiGate firewall has been compromised by FortiBleed?

Audit FortiOS logs for the February–June 2026 window and look for unrecognized administrator logins, unexpected changes to SSL VPN policies, new or modified admin accounts, and anomalous outbound connections to unfamiliar IP addresses. SOCRadar and other threat intelligence platforms have published indicators of compromise (IOCs — known-bad IP addresses, hostnames, and file hashes associated with the campaign's infrastructure). Fortinet PSIRT guidance also recommends verifying whether your device serial numbers or IP ranges appear in any published FortiBleed exposure dataset.

Is there a patch for FortiBleed, and what steps should I take immediately?

No software patch exists because FortiBleed is not a software vulnerability. Remediation is operational: immediately terminate all active SSL VPN sessions; force-reset all administrator and VPN user credentials; verify that post-upgrade password rehashing to PBKDF2 has completed by confirming that all administrators have manually logged in since the last FortiOS upgrade; and enforce phishing-resistant MFA on all administrative interfaces. CISA's emergency advisory dated June 18, 2026 provides the authoritative step-by-step guidance — follow it directly.


Bottom Line
  • As of July 3, 2026, FortiBleed has confirmed compromises across 86,644 Fortinet FortiGate devices in 194 countries — roughly half of all internet-facing FortiGate appliances globally.
  • No CVE. No patch. The campaign exploits legacy SHA-256 password hashes that persist in FortiGate systems after FortiOS upgrades until administrators manually re-authenticate and trigger rehashing.
  • INC and Lynx ransomware operations — with a combined confirmed victim history exceeding 1,100 organizations since 2023 — are actively deploying against the stolen credential dataset.
  • The one control to ship today: force complete credential rotation on every FortiGate appliance and SSL VPN gateway, verify PBKDF2 rehashing is complete, and enforce phishing-resistant MFA on all administrative accounts.

Disclaimer: This article is editorial commentary for informational purposes only and does not constitute professional security consulting advice. Always consult a qualified cybersecurity professional for guidance specific to your organization's environment and needs. Research based on publicly available sources current as of July 3, 2026.