FortiBleed: How 30,000 Fortinet Firewalls Exposed Corporate Networks Quietly

Fortinet firewalls and VPN gateways are among the most widely deployed network security devices in the world. Organizations across every sector rely on them to control access to their networks and protect sensitive infrastructure. SOCRadar researchers recently discovered that a threat actor has been systematically compromising these devices at scale, silently building a verified database of working credentials across 194 countries.

Executive Summary

In the course of monitoring active threat actor infrastructure, SOCRadar threat researchers detected the operational server of a hacking group that had been quietly breaking into corporate Fortinet firewalls and VPN gateways on a massive, global scale. What we found was not just a list of stolen passwords. We found the entire operation: the tools, the automation, the victim list, and enough identifying information to build a detailed picture of who is behind it.

The attacker’s database contains login credentials for more than 30,791 devices belonging to companies and government organizations across 194 countries. These are not random guesses. These are verified, working usernames and passwords, tested and confirmed by the attackers themselves using automated tools running around the clock.

If your organization uses a Fortinet firewall or VPN product and appears in this dataset, treat your network perimeter as already compromised and act immediately. SOCRadar rates this campaign Critical.

How Fortinet Firewalls Were Compromised: Intrusion Explained

The operation is built around full automation. The attackers scan the internet for Fortinet devices, try a curated list of known passwords against each one, and record every successful login. Once a device is compromised, they use it as a listening post, monitoring traffic passing through and collecting any additional credentials that flow by. Those freshly collected passwords are then fed back into the scanner to compromise even more devices. The system feeds itself.

The password list is not random. It is a carefully assembled collection of credentials leaked from Fortinet devices in earlier incidents, meaning many targets may have never changed their passwords after a prior breach. The attackers know this, and they are counting on it.

Who Is Behind the Fortinet VPN Breach?

The attackers made mistakes. Their server was left exposed with a trove of operational files that revealed far more about them than they intended. Among the recovered data were credentials for what appears to be a defense industry VPN endpoint, suggesting the group’s ambitions extend beyond purely financial targets.

The tooling, infrastructure choices, and victim selection, heavily weighted toward organizations in NATO member countries, are consistent with Russian-speaking threat actors. Attribution is ongoing, but the operational fingerprints are clear.

The Scale of Exposure

The victim list spans every sector of the global economy. Among the 30,791 compromised access points identified, we found entries belonging to banks, telecom operators, hospitals, universities, government agencies, energy companies, and multinational corporations with revenues in the tens of billions of dollars. No industry was spared. No region was ignored.

Government entities alone account for 591 entries across 111 domains. Telecoms represent one of the most heavily targeted sectors with 5,616 entries. The geographic spread covers Asia, Europe, the Americas, the Middle East, and Africa.

Revenue Exposure

Revenue bands of affected organizations (by credential entry count):

Enterprise organizations above $1B in revenue account for over 20% of all entries, representing significant financial and critical infrastructure exposure. The large N/A share reflects smaller or unclassified organizations.

Geographic Distribution

Top 20 countries by number of credential entries:

India and the United States together account for nearly a third of all entries, reflecting their large footprint of internet-exposed Fortinet deployments. The spread across Asia, Latin America, Europe, and the Middle East confirms this is a global campaign with no regional blind spots.

Top 50 Targeted Organizations

Ranked by company revenue (domain-based):

Access Method Analysis

Top Ports Targeted

By unique IP count:

Port 443 dominates because it is the standard HTTPS port and the default for Fortinet SSL VPN interfaces. The presence of non-standard ports like 4443, 8443, and 10443 shows the scanner was configured to sweep all common Fortinet deployment variants, not just default installations.

Top Usernames

By credential entry count:

Generic admin accounts and built-in Fortinet system accounts together make up the majority of compromised credentials.

This points directly to a widespread failure to rename default accounts or rotate factory credentials, giving the attacker a highly reliable target list before any brute force was even needed.

Credential Type Breakdown

Org-specific accounts topping the list is significant. It means the attacker is not just harvesting default credentials but has also successfully compromised accounts created by the organizations themselves, possibly sourced from prior breaches where passwords were never changed.

Sector Breakdown

Telecom is the most heavily hit sector by volume, which is notable given that telecom infrastructure underpins communications for every other sector. Government exposure across 111 domains carries national security implications well beyond the device counts alone.

The fact that the sectors targeted are so limited also points to how targeted this attack is.

Government Targets

591 entries across 111 government domains were identified in the dataset.

India accounts for over 60% of all government entries in the dataset. The presence of Ukraine, Poland, and Taiwan alongside other NATO-adjacent states aligns with the geopolitical targeting pattern identified in the broader attribution assessment.

Immediate Steps for Affected Organizations

1. Change your passwords now. Any organization running a Fortinet VPN or firewall should immediately change all admin and VPN account passwords, especially if those passwords have not been changed in the past few years.
2. Enable two-factor authentication. Even if an attacker has your password, two-factor authentication makes it far harder to log in. Enable it on every admin and remote-access account.
3. Review your login history. Check your device’s login history for any access that looks unfamiliar — unusual times, unknown locations, or accounts that should not be active. SOCRadar’s credential and data leak detection can help identify whether your organization’s credentials have appeared elsewhere.
4. Restrict management access. Your firewall’s admin panel should not be reachable directly from the public internet. If it is, restrict it immediately. Reducing your exposed attack surface is one of the most effective steps you can take.
5. Keep your firmware updated. The attackers exploit weaknesses in older firmware. Running the latest version closes known gaps.
6. If in doubt, bring in experts. If your organization appears in this dataset, treat it as a confirmed breach and engage a professional incident response team to assess the damage.

Frequently Asked Questions

What exactly was discovered?

SOCRadar researchers found the operational server of a hacking group that has been systematically breaking into Fortinet network security devices worldwide. The server contained the attacker’s tools, automation scripts, and a database of over 30,791 confirmed working login credentials for corporate firewalls and VPN gateways across 194 countries.

How did the attackers get these passwords?

The group uses a two-step approach. First, they try a list of previously leaked Fortinet passwords against devices across the internet — many organizations never changed passwords after earlier breaches. Second, once inside a device, they passively monitor network traffic to collect additional credentials as they pass through. Those are then used to compromise even more devices.

Are these credentials still working?

Yes. The attackers run automated checks that verify each credential before adding it to their list. The database contains only confirmed, working logins. Unless an organization has changed its passwords since being added to this list, those credentials remain active.

Is this attack still ongoing?

Yes. At the time of publication, the operation is still active. The attacker’s infrastructure is running and new victims continue to be added. This is not a historical breach — it is an ongoing campaign.

Who is responsible?

The investigation points to Russian-speaking operators based on the tools, infrastructure, and target patterns found on the server. The victim list is heavily concentrated in NATO member countries, suggesting a geopolitical dimension alongside financial motives.

Which products are affected?

Fortinet FortiGate devices operating VPN and web management interfaces. The attackers scan multiple common port configurations used by Fortinet products.

If we appear in the list, does that mean we have been hacked?

It means the attacker has working credentials for your Fortinet device. That is a strong indicator that unauthorized access has occurred or will occur imminently. Treat it as a confirmed incident: change credentials, review access logs, and engage your security team without delay.

Has this data appeared on the Dark Web?

At the time of publication, this specific dataset has not been offered for sale or shared on criminal forums. SOCRadar’s Dark Web monitoring is tracking for any distribution. We are publishing this research proactively to give affected organizations the best possible chance to defend themselves before wider distribution occurs.

How severe is this threat?

SOCRadar rates this campaign Critical. The single most important step: change every password on every Fortinet device your organization operates, including VPN accounts and admin accounts. Do it today. Then enable two-factor authentication, review your login history, and restrict admin access so it cannot be reached from the open internet.

This report is based exclusively on data recovered from attacker infrastructure [85.11.187.8:9999]. All statistics derive from [corps.txt] contained within that infrastructure. © SOCRadar Threat Research · June 2026