Cyber security incidents are often associated with a software vulnerability and a subsequent patch. FortiBleed is different.
Disclosed in June 2026, FortiBleed refers to a large-scale campaign that exposed valid credentials associated with tens of thousands of internet-facing Fortinet devices, including firewalls and SSL VPN gateways. Researchers estimate that up to 86,000 Fortinet devices globally were impacted, with affected organisations spanning government, critical infrastructure, manufacturing, telecommunications and professional services sectors.
The campaign has attracted significant attention not because of a newly discovered software flaw, but because it highlights a growing cyber risk facing organisations: identity compromise.
A Credential Problem, Not a Patching Problem
Unlike many high-profile cyber events, there is currently no evidence that FortiBleed was driven by a newly disclosed Fortinet vulnerability requiring an urgent security patch. In fact, researchers found that many affected devices were already running relatively recent software versions.
Instead, evidence suggests threat actors built a large database of valid Fortinet administrative and VPN credentials through a combination of credential theft, credential reuse, and the offline cracking of password hashes obtained from device data. Researchers also noted that some credentials may have originated from previous compromises and were never rotated.
This distinction is important. A software vulnerability can often be remediated with a patch. Compromised credentials remain a risk until they are changed, monitored and protected with additional controls.
Why Fortinet Devices Are a Valuable Target
Fortinet's FortiGate appliances often sit at the edge of an organisation's network and commonly perform multiple critical functions, including firewalling, VPN access, network segmentation and security inspection.
For many organisations, a FortiGate SSL VPN acts as the front door for remote employees and third parties. If attackers obtain valid credentials, they may be able to authenticate through the VPN and access the corporate environment as a legitimate user. This initial access can provide a pathway into the wider environment, enabling attackers to reach business-critical systems and information.
Researchers investigating FortiBleed reported evidence of attackers pivoting from compromised devices into internal network environments, including Active Directory infrastructure.
In several reported cases, organisations experienced broader network compromise following the initial access.
The Bigger Lesson
FortiBleed represents a broader trend in cyber attacks. Threat actors are increasingly targeting identities rather than software vulnerabilities.
As organisations strengthen patch management processes and reduce exposure to known vulnerabilities, attackers are placing greater emphasis on:
- Stolen usernames and passwords.
- Credential reuse across systems.
- Remote access infrastructure.
- Administrative accounts.
- Privileged access pathways.
The result is that organisations can be fully patched and still be vulnerable if identity controls and privileged access management practices are weak.
FortiBleed serves as a reminder that cyber resilience is no longer solely about keeping systems up to date. It is equally dependent on securing the identities that control access to those systems.
Best Practice Controls for All Organisations
While the exact mechanics behind FortiBleed continue to be analysed, there are several security controls that every organisation should implement to reduce the impact and likelihood of a similar event.
Enforce Multi-Factor Authentication (MFA)
All remote access services, VPN platforms and administrative accounts should be protected by MFA. Phishing-resistant MFA methods provide the strongest protection against credential-based attacks.
Restrict Administrative Access
Firewall and network administration interfaces should not be exposed directly to the internet. Access should be restricted to trusted management networks, jump servers or privileged access workstations.
Regularly Rotate Credentials
Organisations should rotate administrative, VPN and service account credentials on a regular basis and immediately following any suspected compromise. Passwords should never be reused across critical systems.
Monitor Privileged Activity
Security teams should generate alerts for administrative logins, configuration exports, privilege changes and unusual VPN access activity. These events often provide early indicators of compromise.
Implement Privileged Access Management (PAM)
Administrative accounts should be tightly controlled, subject to approval workflows where appropriate, and monitored through a Privileged Access Management solution. Standing privileged access should be minimised wherever possible.
Segment Internal Networks
A VPN connection should not provide unrestricted access to the corporate environment. Network segmentation can significantly limit the impact of a compromised account and reduce opportunities for lateral movement.
Treat Identity as a Critical Security Boundary
Ultimately, the most important lesson from FortiBleed is that credentials have become one of the primary attack vectors in modern cyber incidents. Protecting identities, administrative accounts and remote access pathways should be considered just as important as patching systems and managing vulnerabilities.
As this incident demonstrates, organisations cannot always patch their way out of cyber risk - but they can significantly reduce it through strong identity and access management practices.
Article written by our In-House Cyber Underwriting Consultant, Tim Hodgkins, and our Cyber Underwriting Analyst, Moaaz Mushtaq. Please contact them for more information, or visit our Cyber Knowledge Hub.
Tim Hodgkins
In House Cyber Underwriting Consultant
