On June 17, 2026, public reporting documented the large-scale exposure of credentials for internet-accessible FortiGate devices. Within 48 hours, CISA and the UK National Cyber Security Centre issued government alerts. Fortinet confirmed on June 19: this is not a new zero-day vulnerability, but an abuse campaign leveraging previously stolen credentials and brute-force techniques. The case illustrates the operational limit of traditional patching: even updated systems remain vulnerable if legacy hashes still circulate and migration to the PBKDF2 format has not been completed.
- CISA estimates exposed credentials associated with approximately 74,000 Fortinet devices, including firewalls and VPN gateways.
- The attack mechanism is credential reuse from prior incidents and brute-force/password-spraying, not a zero-day vulnerability.
- Fortinet explicitly cites CVE-2026-24858 and CVE-2025-59718 as sources of reused credentials in the June 2026 campaign.
- A patched device can remain compromised if PBKDF2 migration and legacy-hash removal are incomplete, allowing attacker persistence.
The Mechanism: Credential Reuse, Not Zero-Day
Qualys, in its technical analysis, classified FortiBleed as "not a newly disclosed Fortinet vulnerability." Credential reuse — stolen or exposed in prior incidents — represents the primary vector. Fortinet officially confirmed: "This is not a new Fortinet vulnerability, and this activity is not related to any recent incident or advisory."
The vendor identifies two documented sources of compromised credentials: FG-IR-26-060 (CVE-2026-24858, SSO auth bypass, CVSS 10, QID 44861) and FG-IR-25-647 (CVE-2025-59718, FortiCloud SSO SAML auth bypass, CVSS 10, QID 44862). Both CVEs are listed in CISA's Known Exploited Vulnerabilities catalog, respectively since January 27, 2026 and December 16, 2025. CVE-2025-59719, related to FortiWeb, is mentioned by Qualys as potentially linked, but is not confirmed as an actual source of reused credentials in this campaign.
Alongside credential reuse, sources document brute-force and password-spraying against devices with administrative interfaces exposed to the internet. The combination of already-known credentials and systematic attacks against endpoints without multi-factor authentication created the attack surface.
"CISA is aware of global reports that malicious cyber actors have targeted internet-accessible Fortinet devices across government and private sector organizations using compromised credentials. This activity, referred to as FortiBleed, involves the exposure of leaked credentials associated with approximately 74,000 Fortinet devices." — CISA
The Numbers: Divergent Counts, No Verified Total
Scope estimates diverge significantly and cannot be reconciled into a single count. Qualys documented approximately 30,800 validated records in a specific subset, approximately 73,900 unique firewall URLs in an external dataset, approximately 75,000 devices in an independent analysis, and 86,644 records in further reporting. CISA indicated the figure of approximately 74,000 devices with exposed credentials.
Qualys explicitly warned: "These figures reflect different objects, snapshots, validation claims, and deduplication methods, so they should not be combined or treated as one verified count of compromised devices." The discrepancy is not contradictory: it reflects different counting objects — URLs, records, validated devices, government estimates — and non-comparable methodologies. CISA specifies "exposure of leaked credentials," not "compromised devices," underscoring the distinction between potential risk and verified unauthorized access.
The CISA figure, while representing a subset with validation criteria not publicly detailed, constitutes the only government estimate shared at the U.S. federal level.
The Persistence That Survives Patching
The technical core of the campaign lies in credential management, not new code. Qualys documented: "A patched device can remain exposed if credentials or configuration material were stolen before remediation, especially where PBKDF2 migration and legacy-hash cleanup are incomplete."
FortiOS 7.4, 7.6, and 8.0 use PBKDF2 for hashing administrative passwords. Earlier versions employed weaker schemes. Migration is neither automatic nor retroactive: if an administrator upgraded without resetting credentials and removing legacy hashes, an attacker in possession of historical material can still obtain valid access. This condition is independent of the presence of patches for recent vulnerabilities.
The operational impact exceeds the single edge device. FortiGate credentials integrated with corporate AD, LDAP, RADIUS, or APIs enable lateral movement within the internal network. An attacker with administrative access can create local accounts that persist through further updates, or extract configurations that include centralized authentication parameters.
What to Do Now
Actions documented by primary sources converge on five priorities:
- Verify PBKDF2 status and remove legacy hashes. CISA and Qualys explicitly indicate confirmation of PBKDF2 migration and elimination of weaker hashes as a prerequisite, not an option.
- Rotate all administrative and integration credentials. Fortinet requires reset of local passwords and credentials integrated with external services. Patching alone without rotation leaves the access vector intact.
- Terminate active sessions and revoke persistent tokens. Fortinet documents the need to interrupt existing sessions to remove access maintained by the attacker.
- Implement MFA on all exposed administrative interfaces. CISA, NCSC, and Fortinet converge: single-factor authentication is the condition that makes brute-force and credential reuse practical.
- Evaluate factory reset if there is evidence of compromise. NCSC recommends a full reset if there is indication of unauthorized access, since credential change may be insufficient against advanced persistence.
Fortinet adds attack-surface reduction: limit internet exposure of management interfaces. CISA lists configuration validation and log review as immediate actions. The concurrence of these recommendations — patching, rotation, PBKDF2, MFA, isolation — indicates that no single measure is sufficient.
The Sector: The Real Weakness Is Exposed Management Interfaces
FortiBleed does not introduce a new class of vulnerability. It confirms that credential management and exposure of administrative interfaces to the internet remain the most exploited vectors, even in the absence of zero-days. The campaign fits into a historical sequence documented by Qualys: CVE-2018-13379 (SSL-VPN path traversal, CVSS 9.1), CVE-2022-40684 (admin auth bypass), and three SSL-VPN heap-overflow vulnerabilities in 2022-2024. These CVEs are not confirmed vectors of the June 2026 campaign, but constitute the context of recurring targeting of Fortinet edge appliances.
The news angle is the hidden cost of incomplete migration. Organizations that invested in patching believed they had closed the attack window. The discovery that legacy hashes and unrotated credentials allow persistence even on updated systems forces a revision of the trust model: patching restores code integrity, not necessarily the confidentiality of credentials compromised previously.
The message for the sector is that security of critical network appliances requires a lifecycle that includes initial hardening, continuous patching, and — decisively — credential lifecycle management with explicit cryptographic migration. The failure to distinguish between these phases is what FortiBleed has made costly.
Questions and Answers
Is FortiBleed a new vulnerability requiring an urgent patch?
No. All primary sources — Qualys, CISA, Fortinet, NCSC — agree this is not a new zero-day vulnerability. The mechanism is abuse of previously exposed credentials and brute-force. Patching specific CVEs is necessary but not sufficient: it requires credential rotation and completion of PBKDF2 migration.
Why do the affected-device numbers vary so much across sources?
The counts reflect different objects: records in datasets, unique URLs, validated devices, government estimates. Deduplication and validation methodologies differ. Qualys explicitly prohibited combining them into a single total. The CISA figure — approximately 74,000 devices with exposed credentials — is the only official government estimate.
Can a FortiGate device updated to the latest version still be at risk?
Yes, if PBKDF2 migration has not been completed and legacy hashes have not been removed, or if credentials compromised in prior incidents have not been rotated. An attacker with valid credentials obtains administrative access regardless of the presence of patches for recent vulnerabilities.
Information has been verified against cited sources and is current as of publication.
Sources
- https://blog.qualys.com/vulnerabilities-threat-research/2026/07/08/fortibleed-fortigate-credential-reuse-internet-exposed
- https://www.cisa.gov/news-events/alerts/2026/06/18/cisa-urges-hardening-fortinet-devices-after-reports-credential-exposure
- https://www.fortinet.com/blog/psirt-blogs/analysis-of-reported-credential-compromise-of-fortigate-devices
- https://www.ncsc.gov.uk/news/advice-following-global-targeting-of-fortinet-firewalls-and-vpn-gateways
- https://www.qualys.com/apps/vulnerability-management-detection-response