FortiBleed Exposed Credentials for 73,000 Fortinet Firewalls. There Is No FortiBleed Bug.

Security researchers spent the past week pulling apart a leaked collection of credentials for tens of thousands of Fortinet firewalls. The dataset has a name now, "FortiBleed," and the name is doing a lot of work it has not earned. Heartbleed was a specific bug in a specific library with a specific CVE. FortiBleed is not that. There is no single Fortinet flaw at the center of this, no patch that closes it, and so far not even one agreed-upon story of how the credentials were taken. What there is, instead, is a large pile of working logins to the boxes that sit at the edge of corporate networks, and growing evidence that someone has been collecting them at scale since at least February.

What was actually found

The dataset first surfaced through researcher Bob Diachenko, who reported finding an exposed server holding what looked like valid Fortinet VPN credentials: usernames, email addresses, and in places plaintext passwords. Threat intelligence firm Hudson Rock received the data from Diachenko and counted 73,932 unique firewall URLs across 194 countries, tied to 21,632 unique domains. Names in the file read like a who's-who of large enterprises: Foxconn, Samsung, Comcast, Siemens, Lenovo, PwC, Accenture, Oracle, plus government agencies and critical infrastructure operators.

Independent verification matters more than the headline count, and it came from Kevin Beaumont, who reviewed portions of the data and confirmed some of it is real.

"I have been able to confirm the authenticity of some of the admin logins and passwords. This looks like a real dump." (Kevin Beaumont, to BleepingComputer)

Beaumont put the figure closer to 75,000 devices, said almost all of them are still online, and estimated, using Shodan data, that the leak covers roughly half of all internet-reachable Fortinet firewalls. He also noted that a majority of those devices expose their FortiGate management interface directly to the internet, which is its own problem independent of any leak.

The numbers do not line up, and that is worth saying

A quick tally of the figures being thrown around:

These are not contradictions so much as different denominators, and they get blurred together in a way that makes the leak sound either bigger or smaller than it is. The count of devices with leaked credentials (somewhere around 73,000 to 80,000) is not the same as the count of devices that were attacked (north of 430,000). "Half the internet's FortiGates" is a real and alarming estimate, but it is Beaumont's Shodan-based read of the leaked set, not a Fortinet figure or a confirmed compromise rate.

How the credentials were taken

This is where it gets interesting, and where the reporting genuinely disagrees.

On June 22, SOCRadar published an analysis describing an initial access broker running credential stuffing and brute-force attacks against FortiGate SSL VPN devices, then deploying a custom Go-based tool it calls "FortigateSniffer." Per SOCRadar, the tool connects to an already-compromised firewall over SSH and abuses a legitimate FortiOS feature, the diagnose sniffer packet command that admins normally use to troubleshoot connectivity, to capture authentication traffic moving through the device.

The captured packets get reconstructed into PCAP files by a component named SNIFTRAN, then parsed by a Python toolkit that pulls out cleartext credentials, NTLM and Kerberos material, and database logins, and writes Hashcat-ready hash files for offline cracking.

"The tool is designed to monitor traffic across 24 protocols, parse authentication data, and extract credentials from network flows." (SOCRadar)

Beaumont offered a second route to the same result: the attackers also downloaded FortiGate configuration files from compromised devices, extracted the password hashes stored inside, and cracked them. His detail on the cracking setup is the most quietly telling part of the whole story.

"The password cracking was hosted at a GenAI company which rents GPU compute. The attacker rented 36 enterprise class GPUs, more than most large orgs have for internal AI efforts, and instead of using it for AI tasks, they used them for password cracking." (Kevin Beaumont)

Both explanations can be true at once, and both fit the GPU-cracking infrastructure researchers found on the attacker's servers. Diachenko's own figures, which should be read as the researcher's claims rather than confirmed totals, put the campaign at roughly 1.16 billion credential attempts against 320,777 FortiGate targets, plus 2.1 billion attempts against 163,650 Microsoft SQL Server systems, with cracking done on a 45-GPU cluster managed through Hashtopolis.

Why "not a Fortinet bug" is not the comfort it sounds like

Fortinet told BleepingComputer last week that this is a collection of previously compromised credentials, not a new vulnerability or incident. Read narrowly, that is accurate. There is no fresh CVE here, and patching a firewall does not retroactively un-leak a password that was already captured or cracked.

But the framing cuts the other way too. If the FortigateSniffer account is right, the firewall was the vantage point, not the target. A device sitting inline at the network edge saw RADIUS, Kerberos, LDAP, SMB, RDP, and database authentication flowing past, and the attacker scraped all of it. Rotating the FortiGate admin password closes one door and leaves the building open. The credentials harvested through that firewall reach into Active Directory, mail, and databases, and changing those is the larger and slower job. This also raises an ugly question for anyone who finds themselves on the target list: if a sniffer was running on your edge device, rotating a password now does not help if the box is still capturing traffic.

None of this is new in shape. Fortinet perimeter devices have been a favorite target for years. CVE-2018-13379 leaked VPN credentials for around 50,000 devices back in 2020, CVE-2023-27997 (XORtigate) followed, the Volt Typhoon campaign leaned on the same class of appliance, and a January 2025 leak from the Belsen Group exposed configs and credentials for about 15,000 FortiGate devices. Beaumont notes the IP addresses in this leak differ from the Belsen set, which points to a newer and larger collection rather than a recycled one.

What to actually do

For anyone running FortiGate devices, the response is not "wait for a patch," because there is no single patch to wait for. The consensus guidance across SOCRadar, Bitsight, and CISA, which issued its own warning to Fortinet users, comes down to a few concrete steps:

• Rotate every credential associated with the device: admin accounts, local users, and SSL VPN logins. Treat them as already known.
• Pull the FortiGate management interface and SSL VPN portal off the open internet unless there is a real reason for them to be reachable, and restrict access to trusted networks.
• Turn on MFA for all administrative and remote access.
• Hunt, do not assume. Check logs for unexpected admin logins, new accounts, altered firewall rules, disabled logging, and odd VPN sessions. Beaumont has published a list of targeted IPs worth checking against.
• If you upgrade FortiOS, log in afterward. Bitsight notes that older devices can keep weak SHA-256 password hashes until an admin login triggers migration to stronger hashing, which is exactly the kind of stale hash that gets cracked offline.

The honest summary is that FortiBleed is a branding win wrapped around a real and ongoing problem. The credentials are genuine, the campaign is still running, and the exposure does not stop at the firewall. The name will outlive the accuracy of the name, which is how these things usually go.