Campaigns
FortiBleed

FortiBleed

FortiBleedCredential HarvestingFortiGateFortiOSSSL-VPNIABNetwork Sniffer
FortiBleed is an active credential-harvesting campaign targeting FortiGate SSL-VPN infrastructure globally.The threat actor - assessed as a Russian-origin Initial Access Broker with high confidence - abuses the FortiOS built-in diagnostic sniffer (diagnose sniffer packet) to passively intercept authentication traffic on compromised devices.The campaign has executed 659 documented harvest cycles across 430,000+ FortiGate targets, capturing over 110 million credentials from 80,553 unique devices spanning 23,406 organizational domains. A confirmed data exfiltration event against a NATO-aligned defense contractor was observed on June 15, 2026, indicating actor escalation beyond credential brok

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

Remediation The following remediation workflow applies where FortiBleed compromise is confirmed or cannot be excluded based on infrastructure exposure. Steps are sequenced for containment-first execution:

Triage & Scope
  • Determine exposure window: Pull FortiGate system logs to identify the earliest admin login from a source IP in the campaign's /24 blocks. All credentials that authenticated through the affected FortiGate from that date forward are considered compromised.

  • Inventory affected credentials: Export the full FortiVPN user list plus any accounts that may have authenticated against services that route through the affected FortiGate (Exchange, SharePoint, cloud portals, etc.).

  • Check SOCRadar FortiBleed Free Checker: Submit your organization's IP ranges to https://socradar.io/free-tools/fortibleed to determine if your FortiGate devices appear in the campaign's known target set.

Containment
  • Isolate affected FortiGate devices: Disable internet-facing management interfaces immediately. If safe to do so, gracefully failover VPN load to unaffected devices.

  • Revoke all active VPN sessions: Execute 'get vpn ssl monitor' and terminate all active SSL-VPN sessions via 'diagnose vpn ssl del-tunnel'. This prevents curl_replay.sh session token reuse.

  • Invalidate all web session cookies: If the FortiGate proxies access to web applications (OWA, SharePoint, cloud portals), coordinate with those application owners to invalidate all active sessions and force re-authentication.

Recovery
  • Factory reset and firmware re-flash: For confirmed compromised FortiGate devices, perform a factory reset and re-flash firmware from a verified FortiGuard source. Do not restore from a FortiGate backup taken during the suspected compromise window — the backup may include attacker-created admin accounts.

  • Rebuild configuration from hardened baseline: Reconfigure from a hardened baseline template (DISA STIG or CIS FortiGate Benchmark). Do not simply restore the pre-compromise configuration.

  • Forced credential reset — expanded scope: Reset passwords for: all FortiVPN users, all accounts that may have authenticated through the affected FortiGate, all admin accounts on connected Active Directory domains (credentials captured via LDAP/Kerberos sniffing), all email accounts (SMTP/IMAP credentials captured), all service accounts observed in PCAP data.

  • Post-incident threat hunt: Use SOCRadar's XTI platform to search for organizational domains, IP ranges, and user email addresses appearing in known IAB marketplaces and stealer log datasets. FortiBleed-harvested credentials are expected to appear in dark web markets within 2-4 weeks of collection.

  • Engage FortiGuard PSIRT: Report confirmed compromise details to Fortinet's Product Security Incident Response Team for telemetry contribution and coordinated response.


Reports & References1

Observed Countries250

AD (488)
AE (399)
AF (594)
AG (349)
AI (195)
AL (628)
AM (951)
AO (748)
AQ (367)
AR (168)
AS (812)
AT (250)
AU (149)
AW (592)
AX (268)
AZ (608)
BA (361)
BB (571)
BD (750)
BE (100)
BF (726)
BG (894)
BH (787)
BI (319)
BJ (94)
BL (617)
BM (97)
BN (955)
BO (867)
BQ (664)
BR (369)
BS (870)
BT (817)
BV (582)
BW (757)
BY (145)
BZ (634)
CA (442)
CC (676)
CD (361)
CF (826)
CG (453)
CH (104)
CI (771)
CK (682)
CL (11)
CM (117)
CN (231)
CO (336)
CR (781)
CU (378)
CV (284)
CW (194)
CX (236)
CY (236)
CZ (658)
DE (82)
DJ (949)
DK (178)
DM (692)
DO (884)
DZ (204)
EC (498)
EE (87)
EG (329)
EH (962)
ER (314)
ES (783)
ET (526)
FI (383)
FJ (358)
FK (60)
FM (953)
FO (753)
FR (389)
GA (241)
GB (103)
GD (458)
GE (436)
GF (336)
GG (652)
GH (251)
GI (610)
GL (631)
GM (681)
GN (944)
GP (420)
GQ (738)
GR (326)
GS (614)
GT (478)
GU (554)
GW (979)
GY (201)
HK (862)
HM (990)
HN (5)
HR (183)
HT (292)
HU (978)
ID (7)
IE (788)
IL (771)
IM (370)
IN (588)
IO (510)
IQ (844)
IR (513)
IS (346)
IT (119)
JE (37)
JM (328)
JO (783)
JP (514)
KE (597)
KG (9)
KH (693)
KI (334)
KM (770)
KN (136)
KP (740)
KR (838)
KW (582)
KY (864)
KZ (117)
LA (328)
LB (962)
LC (160)
LI (602)
LK (765)
LR (886)
LS (316)
LT (20)
LU (429)
LV (145)
LY (300)
MA (416)
MC (496)
MD (946)
ME (859)
MF (194)
MG (565)
MH (824)
MK (334)
ML (30)
MM (249)
MN (489)
MO (448)
MP (496)
MQ (146)
MR (872)
MS (198)
MT (39)
MU (676)
MV (430)
MW (734)
MX (930)
MY (285)
MZ (326)
NA (200)
NC (999)
NE (296)
NF (434)
NG (526)
NI (265)
NL (379)
NO (806)
NP (715)
NR (110)
NU (385)
NZ (306)
OM (551)
PA (607)
PE (144)
PF (882)
PG (19)
PH (656)
PK (747)
PL (577)
PM (30)
PN (47)
PR (520)
PS (518)
PT (743)
PW (205)
PY (386)
QA (173)
RE (498)
RO (562)
RS (443)
RU (887)
RW (94)
SA (410)
SB (574)
SC (36)
SD (201)
SE (601)
SG (22)
SH (28)
SI (344)
SJ (696)
SK (161)
SL (404)
SM (501)
SN (348)
SO (125)
SR (116)
SS (604)
ST (323)
SV (711)
SX (973)
SY (623)
SZ (833)
TC (249)
TD (188)
TF (316)
TG (503)
TH (701)
TJ (646)
TK (726)
TL (884)
TM (546)
TN (501)
TO (314)
TR (250)
TT (440)
TV (686)
TW (778)
TZ (857)
UA (758)
UG (570)
UM (577)
US (802)
UY (686)
UZ (341)
VA (939)
VC (956)
VE (300)
VG (93)
VI (720)
VN (953)
VU (360)
WF (451)
WS (218)
XK (316)
YE (67)
YT (985)
ZA (860)
ZM (980)
ZW (698)