Photo by Kevin Ache on Unsplash
Attribution note: This analysis draws on reporting aggregated by Google News and synthesizes coverage from Help Net Security, SOCRadar, SecurityWeek, BleepingComputer, and official CISA advisories published as of June 21, 2026.
The Threat — A Credential Harvest at Industrial Scale
1.16 billion. That is the number of authentication attempts a threat actor fired at more than 320,000 FortiGate targets in a single coordinated operation — a number that makes the word "brute-force" sound almost quaint. As of mid-June 2026, security researcher Volodymyr 'Bob' Diachenko discovered that the attackers had accidentally left their operational server publicly accessible, exposing the complete tooling, scripts, and logs of a campaign now named FortiBleed. What those logs revealed was a methodical credential-harvesting operation powered by a 45-GPU cluster running the Hashtopolis distributed password-cracking framework.
According to Help Net Security, FortiBleed compromised credentials tied to 73,932 unique Fortinet firewall and VPN URLs across 21,632 unique domains spanning 194 countries. SOCRadar independently reported a higher count of 86,644 compromised devices and released a free lookup tool for organizations to check domain exposure. The roughly 17-percent divergence between the two figures reflects differences in scope methodology, not a conflict in the underlying facts. Both numbers land in the same category: catastrophic.
Independent security researcher Kevin Beaumont reviewed the exposed dataset and offered a critical observation: "The affected IP addresses are largely different from those in prior Fortinet leaks, indicating that FortiBleed represents a newer and more recent collection rather than a repackaging of old data." That assessment forecloses the easy assumption that credential resets from earlier Fortinet incidents already covered this exposure.
The 45-GPU cluster is itself a signal worth noting. Offensive operations at this scale now depend on the same AI compute infrastructure that powers legitimate machine-learning workloads — GPU clusters, distributed job orchestration, automated pipeline management. As commodity GPU access has expanded, the cost of credential cracking at industrial scale has dropped correspondingly. The intersection of AI compute and offensive security operations is no longer theoretical.
The Second Strike — Splunk Enterprise CVE-2026-20253
Running in parallel with FortiBleed, a critical flaw in Splunk Enterprise — CVE-2026-20253, carrying a CVSS score of 9.8 — moved from public disclosure to active exploitation in approximately 48 hours. Splunk published its advisory on June 10, 2026. Researchers at WatchTowr produced proof-of-concept code within two days, demonstrating that the vulnerability's file-write primitive "can be chained into remote code execution by abusing PostgreSQL's lo_export function to write and subsequently execute malicious scripts on the Splunk server." No authentication is required to trigger it.
As of June 18, 2026, CISA added CVE-2026-20253 to its Known Exploited Vulnerabilities (KEV) catalog — the official government list of flaws confirmed to be actively weaponized — and ordered federal agencies to complete remediation by June 21, 2026. SecurityWeek confirmed that exploitation in the wild preceded the CISA directive. Affected versions are Splunk Enterprise 10.2.0 through 10.2.3 and 10.0.0 through 10.0.6. Patched releases are 10.4.0, 10.2.4, and 10.0.7.
The strategic significance is compounding. Splunk is the platform many security operations centers (SOCs) use for threat detection and AI-powered security analytics. Compromising a Splunk deployment does not simply give an attacker a foothold — it blinds the organization's own security telemetry, potentially concealing lateral movement, data exfiltration, and follow-on attacks in real time.
Blast Radius — Who Carries the Real Exposure
The named victim organizations in FortiBleed, as reported across Help Net Security and BleepingComputer, include Samsung, Siemens, Foxconn, Oracle, Accenture, DHL, and Infosys, alongside government agencies and a Turkish NATO defense contractor whose classified documents were reportedly exfiltrated. As of mid-June 2026, researchers estimate that approximately 50 percent of all internet-reachable FortiGate devices were affected by this campaign. That is not a fringe exposure — it is a baseline assumption that half the FortiGate fleet on the public internet has credentials that should be treated as compromised until a rotation is confirmed.
Chart: Source divergence between Help Net Security (73,932) and SOCRadar (86,644) reflects differing scope methodologies; both draw from the same underlying FortiBleed dataset.
The Splunk exposure compounds the Fortinet risk in one specific, nasty way: organizations that rely on Splunk to detect anomalous authentication activity against their FortiGate devices may now have a blind spot in both systems simultaneously. An attacker holding valid Fortinet credentials who has also disabled Splunk alerting has, in effect, cut the alarm wires before entering the building. Small and mid-sized businesses running unpatched FortiGate appliances at the network perimeter — often with shared or infrequently rotated credentials — represent the lowest-friction targets in this blast radius.
The Defense Stack — Three Layers That Close This
Layer 1 — Technology controls. Patch Splunk Enterprise immediately. Target releases are 10.4.0, 10.2.4, or 10.0.7 depending on your current branch. If a patch window cannot open today, restrict network access to the PostgreSQL sidecar service endpoint at the perimeter firewall as a compensating control (a temporary measure that reduces exploitability without addressing the underlying flaw — buy time, not safety). For Fortinet, treat all credentials touching internet-reachable FortiGate or VPN accounts as potentially compromised: force a complete rotation, prioritizing administrative accounts first.
Layer 2 — Process controls. CISA's June 18, 2026 advisory explicitly instructs federal agencies to terminate active FortiGate sessions before rotating credentials — the session termination step matters because active sessions can persist even after a password change, leaving an attacker's existing connection alive. Non-federal organizations should follow the same sequence. Use SOCRadar's free FortiBleed lookup to determine whether your domain appears in the exposed dataset; the check takes minutes and anchors response priority before any broader incident response effort begins. Additionally, log all Splunk administrative activity through a separate, independent logging system until CVE-2026-20253 is patched — do not rely on a potentially compromised Splunk instance to audit itself.
Layer 3 — People and habits. Enable multi-factor authentication (MFA — a second verification step beyond a password) on all Fortinet management interfaces and VPN portals where it is not already enforced. A valid stolen credential without MFA is a working key; MFA turns it into a key that also needs a combination. Brief your internal security awareness audience: phishing attempts commonly spike after large credential leak events, as threat actors cross-reference exposed datasets against other breach data to build targeted attack packages. Data protection hygiene after a known leak is as important as the technical response.
Ship This Control Today
If you have exactly one hour: check your Splunk version against the affected ranges (10.2.0–10.2.3 or 10.0.0–10.0.6), schedule an emergency patch window, and run the SOCRadar FortiBleed lookup against your primary domain. Those two checks — one for the RCE, one for the credential exposure — establish your actual risk posture before any remediation work begins. Everything else in the defense stack can follow, but the check comes first.
In my analysis, FortiBleed is the more durable of the two threats. Splunk CVE-2026-20253 will be patched within days to weeks as the CISA deadline forces organizational action. Stolen credentials, however, persist indefinitely unless actively rotated — and Beaumont's assessment that FortiBleed represents a newer dataset rather than recycled historical data means the window for rotating before misuse narrows with every passing day, not every passing year.
Frequently Asked Questions
What is FortiBleed and how does the attack work?
FortiBleed is the name given to a large-scale credential-harvesting campaign targeting Fortinet firewall and VPN devices, discovered in mid-June 2026 by security researcher Volodymyr 'Bob' Diachenko. Attackers used a 45-GPU cluster running the Hashtopolis distributed cracking framework to execute 1.16 billion authentication attempts against more than 320,000 FortiGate targets across 194 countries. The operation was uncovered when the attackers inadvertently left their operational server — containing full tooling, scripts, and attack logs — publicly accessible.
How can I check if my Fortinet device is compromised by FortiBleed?
SOCRadar provides a free FortiBleed lookup tool that allows organizations to check whether their domain appears in the exposed credential dataset. Beyond the domain lookup, treat any FortiGate or VPN account credential as potentially compromised if the device was internet-reachable during mid-June 2026. Per CISA guidance issued June 18, 2026, terminate active sessions before resetting credentials, and enable MFA on all management interfaces and VPN portals as a compensating control against future credential misuse.
What versions of Splunk Enterprise are affected by CVE-2026-20253, and how do I patch?
As of Splunk's June 10, 2026 disclosure, affected versions are Enterprise 10.2.0 through 10.2.3 and 10.0.0 through 10.0.6. Patched releases are 10.4.0, 10.2.4, and 10.0.7 — upgrade to the patched release on your current version branch. CVE-2026-20253 carries a CVSS score of 9.8 and allows unauthenticated remote code execution via the PostgreSQL sidecar service endpoint. If immediate patching is not possible, restrict access to that endpoint at the network perimeter as a temporary compensating control.
Disclaimer: This article is for informational purposes only and does not constitute professional security consulting advice. Always consult with a qualified cybersecurity professional for your specific needs. Research based on publicly available sources current as of June 21, 2026.