Fortinet Breach 2026 — FortiBleed Explained

The Fortinet breach now circulating as FortiBleed has exposed administrator and VPN credentials for roughly 74,000 FortiGate firewalls across 194 countries — about half of every internet-facing FortiGate on the planet. It isn’t a new vulnerability, and that’s exactly why it’s dangerous. Here’s the plain-English version for Australian businesses.

The short version

A dataset of credentials for ~74,000 FortiGate firewalls across 194 countries was found on an attacker-controlled server — roughly half of all internet-facing FortiGate devices.
It is not a new vulnerability or zero-day. The credentials were harvested from device configuration files and earlier leaks that organisations never rotated.
Plaintext credentials were stored alongside company profile data (revenue, sector) — organised for targeted follow-on attacks, not just resale.
Researchers Bob Diachenko and Kevin Beaumont confirmed many of the logins are still valid and the devices still online.
What to do: upgrade FortiOS (7.2.11 / 7.4.8 / 7.6.1), re-authenticate as admin, rotate all credentials, enable MFA on VPN, and check for unrecognised sessions.

74,000+FortiGate firewalls exposed

194countries in the dataset

~50%of internet-facing FortiGate devices

0new vulnerabilities used — a credential-hygiene failure

Source: SecurityDiscovery.com research (Bob Diachenko), reported by Ars Technica, Help Net Security and BleepingComputer, June 2026.

What happened

A credential dump, not a new exploit

Security researcher Volodymyr “Bob” Diachenko discovered the dataset on a server controlled by the attackers — meaning the credentials were actively in use, not merely theoretically exposed. The collection covers some 74,000 FortiGate firewalls across 194 countries, and independent researcher Kevin Beaumont confirmed that many of the logins are real and current.

Crucially, this is not a new Fortinet vulnerability. No zero-day was used. The data was assembled from device configuration files and from credentials leaked in earlier Fortinet incidents that organisations never rotated. Alongside each entry sat company profile information — revenue, sector, size — suggesting the operators intended targeted follow-on attacks, not just credential resale. Organisations named in reporting include Oracle, Chevron, Samsung, Foxconn, Siemens, Accenture, DHL and Fortinet itself.

How it happened

The attack chain, in plain terms

This worked because of operational gaps, not a flaw in the firewall itself. Attackers located internet-exposed FortiGate interfaces, pulled their configuration files, and cracked the stored password hashes offline. Valid logins then became silent footholds — some compromised devices were used as listening posts to capture still more credentials — and harvested logins were recycled back into the operation, combined with credentials from earlier Fortinet leaks.

FortiBleed in five stages — a credential-harvesting loop, not a single exploited flaw.

“When a vendor discloses something like this, the step that gets skipped is almost always credential rotation. Businesses will patch the firewall and feel covered — but if the old passwords were already in someone’s dataset and never changed, the patch doesn’t shut the door. Rotating credentials is the unglamorous step that actually matters.”

— Brad Dixon, PIP

How we got here

A recurring Fortinet credential problem

2021Roughly 500,000 FortiGate VPN credentials are leaked on a dark-web forum — the start of a long-running pattern.
January 2025The “Belsen” leak exposes ~15,000 FortiGate device configurations, harvested via a known vulnerability.
Since ~March 2026The FortiBleed credential-harvesting campaign runs quietly against internet-facing FortiGate devices.
Mid-June 2026Bob Diachenko finds the exposed dataset on an attacker-controlled server and raises the alarm.
17–18 June 2026Reporting breaks (Ars Technica and others); Kevin Beaumont confirms the credentials are valid and devices are still online.
June 2026Fortinet patches are available (FortiOS 7.2.11 / 7.4.8 / 7.6.1); remediation guidance follows from Arctic Wolf, SOCRadar and S-RM.

What it means here

Why Australian businesses should care

FortiGate firewalls are widely deployed across Australian business — in IT services, construction, telecommunications and financial services, the sectors best represented in this dataset. If your perimeter runs on Fortinet, assume you are in scope until proven otherwise.

There is an Australian compliance dimension, too. Under the Privacy Act 1988 and the Notifiable Data Breaches scheme, if exposed credentials were used to reach personal information your organisation holds, you may be facing a notifiable data breach — regardless of which overseas vendor made the firewall. The ASD’s Australian Cyber Security Centre routinely issues guidance on Fortinet incidents and runs the Australian Cyber Security Hotline (1300 CYBER1) for organisations that need help. If you discover signs of compromise, that is the line to call — and where PIP’s incident response support picks up.

What to do now

FortiBleed remediation checklist

Work through these in priority order. Patching alone is not enough — the credential steps are what actually close the door.

Action	Priority
Rotate all FortiGate admin and VPN credentials immediately	Critical
Upgrade FortiOS to 7.2.11, 7.4.8 or 7.6.1 (enables stronger PBKDF2 hashing)	Critical
Log in as admin after upgrading — the stronger hash only applies once each admin re-authenticates	High
Audit active SSL VPN sessions for unrecognised logins	High
Enable multi-factor authentication (MFA) on all VPN access	High
Review Active Directory / RADIUS accounts linked to FortiGate access	High
Pull admin activity logs and check for anomalies going back 90 days	Medium
Engage a security partner if you are unsure of your exposure	Next step

“Not a new vulnerability” does not mean “low urgency”. Any device that runs unpatched FortiOS, exposes its management interface to the internet, or uses credentials never rotated after earlier leaks remains exposed — patch status alone won’t save it. A security audit can confirm your exposure before an attacker does.

FAQ

Common questions

Does FortiBleed affect all Fortinet FortiGate firewalls?

Not all of them. The risk is concentrated on devices with an internet-exposed management or SSL VPN interface and credentials that were previously leaked and never rotated. Devices on private networks not reachable from the internet were not directly targeted. The safest assumption is that any internet-facing FortiGate is in scope until you have confirmed otherwise.

Is this a Fortinet product flaw or a user error?

Mostly credential hygiene, not a new product vulnerability. There is no new zero-day at the centre of FortiBleed. Fortinet’s older salted SHA-256 hashing made stored credentials easier to crack than modern standards, but the root cause is organisations failing to rotate passwords that leaked in earlier incidents. Fortinet’s fix in FortiOS 7.2.11, 7.4.8 and 7.6.1 upgrades the hashing to the stronger PBKDF2 method.

What if I don’t know whether my business uses a FortiGate firewall?

If you have a managed IT partner, ask them now — your firewall vendor and version should be in your asset register. If you manage IT in-house and are unsure, a security audit can inventory your network perimeter and flag any unpatched or internet-exposed devices before an attacker finds them first.

Security audit

Not sure if your network is exposed?

PIP reviews IT environments and credential security for Sydney businesses. If you run a Fortinet device — or aren’t sure what firewall you have — a security audit gives you a clear answer before an attacker does.

Book a security audit →