FortiBleed: 75,000 Fortinet Firewalls Compromised: Global Enterprises Exposed – Claim Your Ethical Disclosure
By Hudson Rock | infostealers.com
Fortinet firewalls and VPN gateways serve as the primary defensive perimeter for countless organizations worldwide. However, a massive new cyber espionage campaign has silently compromised these highly trusted devices on an unprecedented global scale.
Originally discovered by security researcher Volodymyr “Bob” Diachenko, with further analysis from Hudson Rock and cybersecurity expert Kevin Beaumont, this dataset exposes a massive, automated operation. Threat actors successfully targeted 73,932 unique firewall URLs across 194 countries, resulting in 21,632 unique affected domains. Astonishingly, as Beaumont highlighted, this represents roughly 50% of all Fortinet firewall devices currently facing the internet.
Attacker Methodology & Unprecedented Scale
According to Diachenko’s investigative report, this campaign is orchestrated by a multi-operator, Russian-speaking cybercriminal group. The operation’s footprint is staggering: the attackers executed an estimated 1.16 billion credential attempts against over 320,000 FortiGate targets, alongside an additional 2.1 billion brute-force attempts directed at over 160,000 MSSQL servers.
The group’s methodology goes beyond simple credential reuse. They actively intercept SSL VPN authentication hashes and crack them using a massive, dedicated 45-GPU cluster managed via Hashtopolis. Once the perimeter is breached, the operators systematically pivot directly into internal Active Directory environments to establish deep network persistence.
This aggressive methodology has led to severe, real-world consequences. Diachenko’s research confirmed full network compromises at multiple organizations across Japan, Taiwan, Vietnam, Iraq, and Turkey. Most alarmingly, this includes a Turkish NATO defense contractor from which classified defense documents were successfully exfiltrated by the group.
Beaumont notes a sharp contrast between this incident and the prior “Belsen Group” leak of 15,000 devices from a 2022 zero-day. This dataset represents active, recent compromises—with many of the affected devices running recent patches. Furthermore, Beaumont observed that the formatting of the leaked data, which explicitly categorizes victims by company type, revenue, and country, is a hallmark of eCrime syndicates packaging initial access for sale on the dark web.
As Beaumont explains in his blog, the attackers likely exploited older credential hashing mechanisms to pull this off. While Fortinet hardened admin credential storage in early 2025 by moving to PBKDF2, this protection only applied if administrators actively logged in after applying the firmware updates. Consequently, many devices continued storing credentials using the older, more vulnerable SHA-256 with Salt format, making them highly susceptible to offline brute-forcing once the configuration files were extracted.
High-Profile Victims Identified
The scale of this breach touches nearly every sector of the global economy, sparing no industry. The threat actors have built a verified database of working credentials for some of the largest enterprises on the planet.
Among the victims discovered in this dataset are massive multinational corporations, including:
- Foxconn
- Samsung
- Comcast
- Siemens
- Lenovo
- PwC
- Accenture
- Oracle
- …and thousands of others, including major government entities and critical infrastructure providers.
Inside the Data: The Attackers’ Logs
When examining the attacker infrastructure, it becomes clear how systematic and devastating this campaign is. The attackers maintained highly organized logs of successful breaches.
The Illusion of Password Complexity
A particularly alarming detail from this dataset is the high volume of extremely complex passwords that were successfully compromised. IT departments frequently lean on rigid password complexity rules as their main line of defense.
However, complexity is completely neutralized when passwords are recovered in plaintext. Whether threat actors leverage specific device exploits that expose plaintext credentials, or utilize databases previously harvested by Infostealers, a 20-character complex string is just as vulnerable as a simple one. If the attackers are recycling known plaintext credentials to bypass perimeters, complexity policies offer no protection.
Recommended Mitigation Steps
To secure your network against this specific vector, we strongly recommend the following immediate actions:
- Remove Internet Exposure: Immediately ensure the FortiOS Management Interface is not exposed to the public internet unless absolutely necessary.
- Force Credential Rotation & Upgrade Hashing: Upgrade to the latest FortiOS release and have all admins log back in to force the system to re-hash passwords using the more secure PBKDF2 standard.
- Assume Compromise & Check for Backdoors: If you observe any suspect successful logins to admin accounts, assume the device is compromised. Attackers may have altered security controls or created backdoor users. In severe cases, replacing the device entirely may be required.
- Enforce Strict MFA: Ensure Multi-Factor Authentication is universally applied to all external gateways and admin interfaces, effectively neutralizing the threat of stolen plaintext passwords.
- Monitor for Stolen Credentials: Proactively monitor employee and third-party vendor credentials against threat intelligence databases to catch compromised passwords before they are weaponized against your perimeter.
🚨 Free Look-Up Tool for Affected Organizations
Because of the critical nature of this massive campaign, Hudson Rock is committed to performing ethical disclosures for affected organizations.
We have launched a dedicated portal where companies can verify if their domains are part of this compromised dataset. Following confirmation of impact, organizations can reach out directly through the tool to receive a full ethical disclosure regarding their exposure.
Search Your Domain Now
The free Hudson Rock lookup portal for affected organizations.
Example: Verifying if an organization like Comcast was compromised in the breach.
Global Scope: Top 30 Affected Countries
This campaign has a massive global footprint. Below are the top 30 countries impacted by this compromise, ranked by the number of breached devices:
Top 30 Affected Industries & Services
Telecommunications and IT Services took the heaviest hits, but the attacker’s net was cast incredibly wide. Here is the breakdown of the top 30 compromised sectors:
Conclusion
This massive incident serves as a glaring reminder that exposed network gateways combined with reused or stolen credentials are an attacker’s dream. Relying on password complexity policies is not enough to secure environments against data points harvested by Infostealers.
Check if your company has been exposed today by using Hudson Rock’s Free Fortinet Look-Up Tool.
