How the FortiBleed Campaign Compromised 430,000 FortiGates
fortibleedlynx ransomwarefortigatefortinetfortigatesnifferinc ransomcybersecuritycredential theftmfanetwork securitycve-2026-35616socradar

How the FortiBleed Campaign Compromised 430,000 FortiGates

The FortiBleed campaign did not rely on an exotic new zero-day in FortiGate firewalls. Instead, it was a methodical, large-scale credential-harvesting operation targeting over 430,000 FortiGate firewalls globally. Attackers systematically scanned the internet for exposed Fortinet devices, then attempted to gain access using known credential combinations. This approach, while fundamental, proved effective.

Diagram illustrating the FortiBleed campaign attack chain and FortigateSniffer operation
Diagram illustrating the FortiBleed campaign attack chain

How a Single Exposed Server Unmasked the Pipeline

Upon gaining initial access, the threat actors deployed a custom Golang tool named "FortigateSniffer." This tool exploits FortiOS's native diagnose sniffer packet command to passively intercept authentication traffic, capturing VPN credentials and other authentication data directly from the network. This mechanism effectively turned the perimeter firewall into a data exfiltration point for critical access credentials.

After harvesting, these credentials were sent to infrastructure designed for cracking password hashes and performing credential-stuffing attacks. The objective was clear: achieve deeper network penetration. STRU's investigation confirmed that this group successfully gained admin-level access on 409 targets. Of these, 354 saw the full attack chain completed, including VPN compromise, access to a domain controller, and acquisition of domain admin privileges. Persistent backdoor accounts, frequently using the username "adminin," were also established to maintain access.

The operational security lapse by the attackers provided critical intelligence for defenders. The exposed server contained not only over 110 million credentials but also artifacts demonstrating the threat actor's access to ransomware negotiation panels for both Lynx and INC Ransom. This included screenshots of browser sessions and victim communications. This evidence directly links an initial access broker to active ransomware operations. To date, at least 12 confirmed ransomware deployments, encrypting hundreds of endpoints, have been attributed to this campaign.

The Practical Impact of the FortiBleed Campaign: Your Credentials Are Their Entry Point

The FortiBleed campaign reveals a highly organized operation. This Russian-speaking group, estimated at around 20 individuals, operates with defined roles, internal tracking documents, and is under investigation for its use of AI tooling in vulnerability research, including efforts toward an undisclosed Nextcloud zero-day. They have also been observed exploiting CVE-2026-35616 in FortiClient EMS to deploy EKZ Stealer, a tool designed to extract credentials from web browsers. This indicates a professional criminal enterprise, not an opportunistic actor.

This operational security failure provided an uncommon, detailed view into an attacker's internal processes, offering critical intelligence for defenders. The scale of the operation is significant: 430,000 FortiGates targeted, 19,000 sniffers deployed, and approximately 11,000 devices remaining compromised even after initial notifications. This represents a broad sweep for easily exploitable targets, not a specialized attack.

Organizations operating FortiGate firewalls should recognize the serious implications of the FortiBleed campaign. The issue is not a new, unpatchable vulnerability in Fortinet products. It stems from fundamental security hygiene deficiencies: weak passwords, absence of multi-factor authentication (MFA), and credential reuse. Attackers are exploiting existing weaknesses. While manufacturing, technology, and logistics sectors, particularly in Latin America and Asia Pacific, are primary targets, any exposed FortiGate device presents a potential entry point.

What You Need to Do Now

SOCRadar is preparing a technical whitepaper with indicators of compromise (IoCs) and is coordinating responsible disclosure for the Nextcloud zero-day. However, immediate action is required. For more information on threat intelligence, visit SOCRadar.

A foundational step involves assuming all FortiGate administrator passwords are compromised and resetting them without delay. Concurrently, the implementation of multi-factor authentication (MFA) for all FortiGate admin accounts and VPN access is paramount. The absence of MFA represents a critical vulnerability that threat actors will consistently exploit.

Organizations must conduct a thorough review of their FortiGate configurations. This includes scrutinizing for any unauthorized modifications, with particular attention to newly created or suspicious "adminin" accounts. Examination of logs for unusual usage of the diagnose sniffer packet command can indicate potential FortigateSniffer activity. Furthermore, ensuring all FortiClient EMS installations are patched for CVE-2026-35616 is crucial to prevent EKZ Stealer deployment.

Proactive threat hunting is also essential. Security teams should actively search for signs of the FortigateSniffer, a Golang tool, by looking for unusual executables or processes on their FortiGate devices. Where feasible, segmenting FortiGates from other critical network assets and implementing stringent monitoring of their outbound connections will further enhance defensive posture.

Beyond immediate password resets and MFA implementation, organizations should consider advanced threat detection capabilities. Deploying network intrusion detection systems (NIDS) and security information and event management (SIEM) solutions can help identify anomalous activity indicative of the FortiBleed campaign's tools, such as FortigateSniffer. Regular security audits and penetration testing, focusing on external-facing Fortinet devices, are also critical to proactively identify and remediate vulnerabilities before they can be exploited by sophisticated threat actors like those behind the FortiBleed campaign.

Conclusion: Reinforcing Defenses Against the FortiBleed Campaign

The FortiBleed campaign serves as a stark reminder that even well-established security perimeters can be breached through basic credential compromise and a lack of robust security practices. The attackers' operational security failure provided an unprecedented look into the inner workings of an initial access broker directly linked to major ransomware groups like Lynx. This intelligence is invaluable for defenders.

By understanding the full scope of the FortiBleed campaign, from initial scanning to credential harvesting and domain compromise, organizations can implement targeted and effective defenses. Prioritizing strong passwords, mandatory MFA, vigilant log monitoring, and proactive threat hunting are not merely best practices; they are essential safeguards against the persistent and evolving threats exemplified by this widespread credential-theft operation. Protecting your FortiGate infrastructure is paramount to preventing your organization from becoming the next victim of the FortiBleed campaign.

Daniel Marsh
Daniel Marsh
Former SOC analyst turned security writer. Methodical and evidence-driven, breaks down breaches and vulnerabilities with clarity, not drama.