Cybercriminals Breach Tens Of Thousands Of Fortinet Firewalls In FortiBleed Credential-Harvesting Campaign

Cybercriminals have compromised tens of thousands of Fortinet firewalls and VPNs in an ongoing campaign dubbed FortiBleed, according to TechCrunch and cybersecurity firms Hudson Rock and SOCRadar.

“Although most sectors have suffered from the coronavirus crisis, the cybersecurity industry continues hiring in the United States in an effort to fill it with more talent”

Business Insider España

TechCrunch reports that the campaign “appears to not involve abusing any unknown vulnerability,” instead relying on companies not changing passwords for internet-exposed Fortinet systems.

Business Insider España

SOCRadar describes the compromise chain as self-sustaining, writing, “The system feeds itself,” after attackers use a compromised device as a listening post to collect additional credentials.

TechCrunch adds that Fortinet spokesperson Tiffany Curci said the company is “aware of a reported third-party credential-harvesting campaign targeting Fortinet firewalls and VPN gateways,” and Fortinet said the data involved is “a resharing of data from previous incidents, as well as bruteforcing of credentials.”

Hudson Rock and SOCRadar’s reporting diverges on scale, with TechCrunch saying Hudson Rock found evidence that more than 73,000 unique Fortinet URLs have been hacked while SOCRadar said the total of hacked devices is more than 30,000.

TechCrunch lists companies whose systems were attacked, including Accenture, Comcast, Foxconn, Lenovo, Oracle, Samsung, Siemens, and PwC, and it says the countries with the most affected devices are India, the United States, Taiwan, and Mexico.

Escudo Digital

SOCRadar’s report says its attacker database contains login credentials for more than 30,791 devices belonging to companies and government organizations across 194 countries, and it warns that “If your organization uses a Fortinet firewall or VPN product and appears in this dataset, treat your network perimeter as already compromised and act immediately.”

Dark Reading similarly frames the operation as credential harvesting rather than a Fortinet flaw, quoting SOCRadar that “There’s no zero-day, no exploit, no actual 'bleed.'”

In a separate Fortinet-focused account, Escudo Digital says Fortinet has had to recognize the problem “no se ha resuelto completamente” and is preparing new versions of FortiOS to “frenar los ataques.”

“La noticia de que varios cortafuegos FortiGate han sido comprometidos, a pesar de tener instalados parches oficiales, ha generado una fuerte preocupación entre administradores de sistemas y responsables de seguridad, ya que pone en cuestión la eficacia de una de las actualizaciones más recientes destinadas a corregir una vulnerabilidad crítica de autenticación”

Escudo Digital

Escudo Digital ties the issue to a vulnerability identified as CVE-2025-59718 and says Fortinet distributed FortiOS 7.4.9 in December and later 7.4.10, while administrators reported malicious access even with those versions installed.

Escudo Digital also says the US Cybersecurity and Infrastructure Security Agency included the vulnerability in its list of “fallos activamente explotados,” and that the order requires federal agencies to apply corrections within “un plazo máximo de una semana.”

Meanwhile, SOCRadar rates FortiBleed as Critical and says its researchers detected an operational server of a hacking group, adding that the attacker’s database contains verified, working usernames and passwords tested and confirmed by the attackers themselves using automated tools running around the clock.