Threat Briefing · Perimeter Security

FortiBleed, and the 247,000 Login Attempts We Watched

Roughly half the FortiGate firewalls on the internet had their admin credentials exposed. Here is how it happened, and what our own sensors see from the other side of the internet every day.

Deception Check Threat Briefing · June 25, 2026

Map of internet-exposed Fortinet devices — Internet-exposed Fortinet devices, concentrated in the U.S. but spanning 194 countries. Source: Shodan, June 2026.

The short version

A campaign called FortiBleed exposed verified administrator credentials for internet-facing FortiGate firewalls across 194 countries. Reported counts range from about 74,000 to 86,644 devices, roughly half of all FortiGate firewalls reachable from the internet. The root causes are mundane: unrotated default accounts and legacy password hashing, not a flashy zero-day. CISA issued an emergency advisory on June 18, 2026. We cannot see the offline cracking that sits at the center of FortiBleed, but we can see the machinery that feeds campaigns like it. In about three weeks, our honeypots logged more than 247,000 login attempts from thousands of unique addresses, overwhelmingly default and weak credentials driven by automation. That is the daily reality an exposed firewall login faces.

~86,644

FortiGate devices with exposed admin credentials

~50%

of internet-reachable FortiGate firewalls

63%

of cracked accounts were default or generic

What FortiBleed actually is

FortiBleed is not a single exploit. It is a credential-harvesting operation that turns exposed management and weak credential hygiene into a searchable database of working admin logins. The chain is straightforward, and most of it happens out of sight.

FortiBleed attack chain — The FortiBleed chain. The cracking step happens offline, on the attacker's hardware, which is why no honeypot sees it directly.

Attackers reached devices through exposed management interfaces, unrotated default accounts, or a separate FortiCloud single sign-on bypass (CVE-2026-24858, CVSS 9.4, added to CISA's Known Exploited Vulnerabilities catalog in January 2026). They pulled FortiGate configuration backups, which contain administrator password hashes, and cracked those hashes offline on GPU clusters. This was feasible at scale because many devices still stored credentials as salted SHA-256 rather than the stronger PBKDF2 that Fortinet introduced in late 2025, and because a backward-compatibility quirk kept old SHA-256 hashes in a hidden field that is readable in any configuration backup. The verified credentials were then organized by country, sector, and even target revenue.

Why it worked: the boring root cause

The most important number in this whole story is not a CVSS score. It is 63%. According to SOCRadar's analysis of the dataset, roughly six in ten compromised accounts were either generic administrator names or built-in Fortinet system accounts that had never been renamed. These were the most predictable credentials on the device, targetable before any cracking even began.

Account composition of the FortiBleed dataset — Composition of the compromised credential dataset. The default and generic slices are the soft target. Source: SOCRadar.

This is configuration hygiene, not a vulnerability in the usual sense. It persists because firewalls get deployed by different teams, maintained through managed service contracts, and inherited through acquisitions, and the deployment checklist that says "rename the default account" is applied inconsistently across tens of thousands of devices.

How exposed Fortinet really is

FortiGate is everywhere, and a lot of it is reachable from the open internet. A Shodan search for Fortinet returns 434,381 devices worldwide, with 63,713 in the United States alone, followed by India, Taiwan, Japan, and Italy. Exposure on its own is not compromise, but it is the precondition that every one of these campaigns depends on.

Internet-exposed Fortinet services in the U.S. by port — It is not just the count, it is what is exposed. Tens of thousands of devices expose the management plane directly. Source: Shodan.

Look at the services, not just the totals. In the U.S. alone, more than 21,000 devices expose port 541, the FortiGate management protocol, and another 15,000 expose port 10443, commonly used for SSL VPN and management. CISA's advisory was explicit that internet-exposed management interfaces are the precondition for the initial access phase, and removing that exposure eliminates an entire class of attack surface.

What we see from the other side of the internet

This is where our own data comes in, and where we want to be precise about what it does and does not show. FortiBleed's core is offline hash cracking, which happens on the attacker's hardware and never touches our sensors. We did not catch a FortiGate being compromised. What we run is a fleet of decoys, and what they capture is the front of the pipeline: the relentless, automated credential abuse that makes a campaign like this possible in the first place.

Over 25 days in June 2026, two of our SSH decoys alone recorded 1.34 million events, 216,854 sessions, and 218,731 login attempts from 4,646 unique IP addresses. Add a single one of our adaptive decoys for ten days and the login-attempt total crosses 247,000. This is not a spike. It is the steady background radiation of the internet.

Daily honeypot activity — Daily events on two SSH decoys in June 2026. The floor never drops. This is constant, automated, and indiscriminate.

What are they trying? Exactly the credentials that FortiBleed found waiting. The most common username by a wide margin is root, followed by admin and other generic names. The most common passwords are 123456, blank, and a handful of defaults. The recurring string 345gs5662d34 is not a guess at all, it is a scanner self-test canary, a tell that this is automated mass-scanning rather than human effort.

Top usernames sprayed against our decoys.

Top passwords sprayed. This is precisely what an unrotated firewall admin account faces every day.

The spray is not static: how it shifted from April to June

Because we hold several months of captures, we can watch the spray change shape over time, and the change is revealing. In April, the single most sprayed credential across our decoys was an admin account with a blank password, the exact FortiGate factory default, at 8.3% of all login attempts. By June, that blank password had slipped to second place behind 123456, and automated scanner self-test canaries like 345gs5662d34 had surged into the top tier. The mix is driven by whichever mass-scanning frameworks are most active in a given window, not by any deliberate human campaign.

Password spray comparison, April versus June 2026 — The same decoys, two months apart. The FortiGate documented default (admin, blank password) led the spray in April, then fell to second in June. The credential pressure never lets up, it just reshuffles.

The lesson for a defender is the uncomfortable part: the blank-password default did not stop being sprayed, it simply got crowded by other automation. An unrotated FortiGate admin account was a target in April, it is a target now, and it will be a target next month. The pressure is permanent. Only the ranking moves.

The automation does not stop at the login. Once into the decoy, the same scripts run the same playbook: reconnaissance with uname, a liveness check that prints "ok", and an SSH key implant (rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAA...") locked in place with chattr. We logged that key-implant sequence more than 10,000 times in a single month. We also see the decoys abused as relays, tunneling traffic toward other targets on port 443.

A caveat we want to state plainly We searched every dataset we hold, across three months, for Fortinet-flavored credentials. The exact string fortinet never appears, not once. The closest is root / Forten1883, which we logged 95 times, clustered in June. We are careful here. Forten is not Fortinet, and Forten1883 may have nothing to do with the vendor at all: it could just as easily reference Sarah Forten, the abolitionist who died in 1883. So we do not claim it as Fortinet-targeted. What we can say is that it is a real, actively-sprayed password, corroborated in the public toxyl/ossh-swarm-wordlists honeypot project in the same June windows. The firmer Fortinet tie in our data is not this one ambiguous string, it is the documented default credentials, which we turn to next.

The default that should not exist anymore

Here is the most direct tie to FortiBleed, and it comes from Fortinet's own documentation. The documented default FortiGate login is the username admin with a blank password, and Fortinet did not force a password change on first login until FortiOS 7.6.5. So a spray against admin with a blank or trivial password is, functionally, a spray against unconfigured FortiGate appliances. We see exactly that, constantly.

Fortinet-relevant credential guesses against the admin username — 6,895 attempts on the username admin from 742 IPs in June. The amber bars are Fortinet-documented defaults and policy-compliant guesses.

Of the 6,895 attempts on admin, 238 used a blank password, 605 used admin, and 453 used Fortinet's own documented weak example, p4ssw0rd and its variants. The detail we found most striking: 64 attempts used passwords that actually satisfy Fortinet's default 12-character complexity policy, things like P@ssw0rd@2026, Admin@123456, and Qwer1234!@#$. Attackers have learned that organizations meet the complexity rule with predictable patterns, so they spray complex-but-guessable passwords too. Meeting the policy is not the same as being safe.

We also checked three product-specific Fortinet defaults from the documentation, root / fortinet@123 (FortiAnalyzer), root / YAMS (FortiNAC), and root / ProspectHills (FortiSIEM). We saw none of them across three months of capture. That negative is its own lesson: spraying follows device population, so the ubiquitous FortiGate default gets hammered while niche appliance defaults sit quietly unprobed, and unwatched.

Where the sprays come from

We resolved the source addresses to networks using Team Cymru data, and the two patterns are tellingly different. The ambiguous Forten1883 string rode Russian and Vietnamese cloud, led by Yandex Cloud. The concrete Fortinet-default guessing concentrated somewhere more surprising: 232 of those attempts came from a single pair of hosts inside AS680 DFN, the German national research and education network, most likely compromised or misused research machines, and another 98 came from a Seychelles-registered, bulletproof-style host operating across Germany, Bulgaria, and the Netherlands.

Top source networks for the Fortinet-relevant admin sprays — Source networks behind the Fortinet-relevant admin guesses. ASN attribution via Team Cymru. Country is approximate, since registration and announcement geographies differ.

To be clear about the limits: we searched our SSH, Telnet, and operational-technology capture for Fortinet web indicators and found no direct Fortinet web exploitation. That traffic would land on our HTTP decoys, which are temporarily degraded. So the tie between what we see and FortiBleed is the credential-abuse behavior and the vendor-themed guesses, not a captured FortiGate exploit. That is an honest and, we think, more useful framing: the danger is not only the marquee campaign, it is the constant, cheap, automated pressure that turns one unrotated default account into a breach.

Why it matters

A perimeter firewall credential is a master key. With administrative access, an attacker inherits the internal network map, the ability to change routing and filtering, the VPN tunnel endpoints, and very often an authenticated path into Active Directory and the systems behind it. In the FortiBleed dataset, confirmed post-access activity already includes rogue VPN tunnels, extraction of internal routing tables, and lateral movement into domain controllers, across telecommunications, government, healthcare, finance, and energy.

A nuisance scanner and a nation-state-grade campaign use the same front door. The only difference is whether the default account was still there when they knocked.

What to do this week

CISA's guidance plus the reality our sensors show points to a clear, ordered response. Most of it is free.

This week

Get management off the internet. No FortiGate web console, SSH, or FortiCloud management should be reachable from the public internet. Put it behind a VPN or bastion, on a trusted management network.
Terminate sessions and rotate every admin credential. Assume exposed credentials are already in use. Rotate all administrator passwords, with priority on default, built-in, and generic accounts, and enforce unique, high-entropy passwords per device.
Rename or remove default and built-in accounts. This is the single change that would have neutralized most of the FortiBleed dataset.

This month

Verify your hashing and clear legacy hashes. Confirm your FortiOS version is at or past the PBKDF2 threshold (7.2.11, 7.4.8, 7.6.1), log in to each device after upgrading, and confirm the hidden legacy-hash field is cleared. Treat configuration backups as secrets.
Enforce phishing-resistant MFA. FIDO2 security keys or certificate-based authentication on every administrative and remote-access path. SMS and push are not enough.
Review FortiCloud SSO. Disable it on devices not yet patched against CVE-2026-24858, and re-enable only after a deliberate review of the cross-tenant trust it creates.
Watch the logs. Alert on new account creation, unexpected admin configuration changes, and VPN logins from unusual origins.

The deeper lesson

You cannot patch your way out of a default password, and you usually cannot see the spraying until it has already worked. That is the gap our sensors sit in. The same logic that makes a honeypot valuable applies inside a real network: a decoy administrator account, or a honeytoken that looks like a management interface or a credential in a config file, turns an attacker's very first attempt into a high-confidence alert, with nothing to patch and no legitimate reason for anyone to ever touch it.

This is the work we focus on at Deception Check. FortiBleed is a reminder that the perimeter is only as strong as the most predictable account behind it, and that the pressure on that account is constant, automated, and cheap. The front door is the firewall. Make sure the key is not still under the mat.

Find your exposed Fortinet management interfaces. Rotate the defaults. Turn on real MFA. Then watch the accounts you cannot fully lock down.

Sources

Cloud Security Alliance / CSAI, "FortiBleed: Default Credential Exploitation and Mass Fortinet Compromise," June 20, 2026.
SOCRadar, "FortiBleed 2026: 86,644 Fortinet Firewalls Compromised."
Arctic Wolf, "Active FortiBleed Campaign Impacting Fortinet Devices Across 194 Countries," and "Inside FortiBleed: Reverse Engineering the CyberStrike Harvester."
Help Net Security, "74,000 Fortinet firewall credentials exposed in FortiBleed data leak," June 18, 2026.
CISA, "CISA Urges Hardening Fortinet Devices After Reports of Credential Exposure," June 18, 2026.
SecurityWeek and SOCRadar, on CVE-2026-24858 (FortiCloud SSO authentication bypass).
The Hacker News, "AI-Assisted Threat Actor Compromises 600+ FortiGate Devices in 55 Countries," February 2026.
Fortinet Community (PBKDF2 enforcement guidance) and Fortinet 2026 Global Threat Landscape Report.
Shodan, queries fortinet and fortinet country:US, June 2026.
Deception Check honeypot fleet, Cowrie and adaptive SSH captures, April to June 2026 (first-party).

About Deception Check

Deception Check builds deception and early-warning capabilities for the operational technology, healthcare, and enterprise systems that conventional tools struggle to protect. We operate a global honeypot research fleet and turn what attackers do in the open into detection that fires on the first move. This briefing is provided for educational purposes and references open, citable sources throughout.