Major hack campaign against Fortinet devices compromised prominent organizations, researchers say

A highly automated global cyber espionage campaign dubbed "FortiBleed" has silently compromised tens of thousands of Fortinet perimeter devices, exposing prominent corporations and government agencies in over 190 countries.

Security researchers at SOCRadar, Hudson Rock, and independent analyst Kevin Beaumont revealed that an elite, Russian-speaking cybercrime syndicate has built a verified database of working administrator and SSL VPN credentials for roughly half of all internet-facing Fortinet FortiGate firewalls worldwide

The scale of the breach touches nearly every sector of the global economy, with tech giants like Samsung, Siemens, Oracle, Lenovo, and Accenture identified among the impacted domains.

The mechanics of an industrial-scale access operation

The ongoing intrusion campaign represents a profound shift toward automated, industrial-scale initial access brokerage. Rather than deploying a single zero-day vulnerability, the threat actors are leveraging a sophisticated infrastructure that includes a 45-GPU password-cracking cluster managed via Hashtopolis.

The attackers systematically exfiltrated device configuration files by executing a massive blitz of 1.16 billion credential attempts against more than 320,000 Fortinet targets, alongside 2.1 billion brute-force attempts on database servers.

Once an initial gateway is breached, the actors use the compromised firewall as a listening post to intercept active network traffic, harvesting further internal credentials and pivoting directly into internal Active Directory environments to establish permanent network dominance.

The patching paradox and legacy data debt

A technical post-mortem indicates that a significant percentage of the compromised perimeter firewalls were technically running updated, patched firmware. In early 2025, Fortinet implemented a more robust PBKDF2 password-hashing standard to replace its legacy, vulnerable SHA-256 implementation.

However, researchers discovered that this architectural defense was not retroactive. The security upgrade only applies to configuration files once an administrator explicitly logs in to trigger a re-hash after updating the firmware. Thousands of major enterprises applied the official patches but unknowingly left their old, easily crackable credential hashes resting in legacy data debt within their systems, creating an immediate backdoor for automated harvesting scripts.

Defensive mobilization and global technical remediation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), alongside the Australian Cyber Security Centre (ACSC), issued urgent national directives instructing all network administrators to treat exposed internet-facing Fortinet assets as active compromises.

Organizations utilizing Fortinet infrastructure are ordered to immediately rotate all administrative, VPN, and service account passwords. To force the encryption transition to the stronger PBKDF2 standard, all administrators must manually authenticate through a super-administrator account post-rotation.

Security teams are also instructed to strictly restrict public management interface exposure to trusted IP ranges and enforce mandatory, hardware-backed multi-factor authentication across all remote access points.