A credential‑theft campaign dubbed FortiBleed has compromised more than 430 000 FortiGate firewalls worldwide, harvesting over 110 million authentication records, according to Dark Reading.
The theft spans credentials for RADIUS, NTLM, Kerberos and dozens of other authentication protocols, posing a severe risk to organisations that rely on these devices for network security.
The attackers deploy a Golang utility named FortigateSniffer that runs on the compromised device and pulls credentials from 24 different protocols, including RADIUS, NTLM and Kerberos, as detailed in the SOCRadar whitepaper.
Although no CVE identifiers have been linked to the intrusion, the tool relies on legitimate firewall commands to sniff traffic after an initial reconnaissance and credential‑stuffing phase.
Research from SOCRadar’s Threat Research Unit describes a five‑stage attack chain beginning with network scanning, followed by brute‑force attempts, traffic capture, data aggregation and exfiltration to servers believed to be operated by Russian‑speaking actors, as outlined in a SecurityAffairs report.
The motivation appears to be financial gain, with the stolen credentials likely sold on underground markets or used for further intrusion.
Observed activity started on 22 June 2026 and continued through 23 June 2026, indicating a short but intense wave of compromise.
While the threat actors have not been publicly attributed, the infrastructure, language artefacts and targeting of small‑to‑medium businesses in the United States and India point to a Russian‑origin operation.
Organisations should immediately rotate any credentials that may have traversed the affected firewalls and enforce multi‑factor authentication on all remote access points.
Reviewing firewall logs for unexpected authentication spikes, restricting management interfaces to trusted networks and ensuring firmware is up to date are also recommended steps.
Deploying network segmentation to isolate critical assets and monitoring for the distinctive FortigateSniffer binary or its network artefacts can help detect any residual presence.
Staying vigilant for anomalous outbound connections to unfamiliar IP ranges remains a prudent measure while investigations continue.