SOCRadar’s researchers have discovered a threat actor systematically compromising Fortinet firewalls and VPN gateways on a massive, global scale, silently building a verified database of working credentials across 194 countries with the US as the #2 target.
The attacker’s database contains login credentials for more than 30,791 devices belonging to companies, banks, telecom operators, hospitals, universities, government agencies, energy companies and multinational corporations with revenues in the tens of billions of dollars. Government entities alone account for 591 entries across 111 domains. Telecoms represent one of the most heavily targeted sectors with 5,616 entries.
The credentials are verified, working usernames and passwords, tested and confirmed by the attackers themselves using automated tools running around the clock. The credentials were leaked from Fortinet devices in earlier incidents, meaning many targets may have never changed their passwords after a prior breach. The attackers know this, and they are counting on it.
The operation is built around full automation. The attackers scan the internet for Fortinet devices, try a curated list of known passwords against each one, and record every successful login. Once a device is compromised, they use it as a listening post, monitoring traffic passing through and collecting any additional credentials that flow by. Those freshly collected passwords are then fed back into the scanner to compromise even more devices. The system feeds itself.
To view the research, please see FortiBleed: How 30,000 Fortinet Firewalls Exposed Corporate Networks Quietly
Related
This entry was posted on June 16, 2026 at 11:59 am and is filed under Commentary with tags SOCRadar. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
SOCRadar Discovers Active Fortinet Hacking Campaign – 30,000+ Firewall Credentials Exposed Corporate Networks Across 194 Countries
SOCRadar’s researchers have discovered a threat actor systematically compromising Fortinet firewalls and VPN gateways on a massive, global scale, silently building a verified database of working credentials across 194 countries with the US as the #2 target.
The attacker’s database contains login credentials for more than 30,791 devices belonging to companies, banks, telecom operators, hospitals, universities, government agencies, energy companies and multinational corporations with revenues in the tens of billions of dollars. Government entities alone account for 591 entries across 111 domains. Telecoms represent one of the most heavily targeted sectors with 5,616 entries.
The credentials are verified, working usernames and passwords, tested and confirmed by the attackers themselves using automated tools running around the clock. The credentials were leaked from Fortinet devices in earlier incidents, meaning many targets may have never changed their passwords after a prior breach. The attackers know this, and they are counting on it.
The operation is built around full automation. The attackers scan the internet for Fortinet devices, try a curated list of known passwords against each one, and record every successful login. Once a device is compromised, they use it as a listening post, monitoring traffic passing through and collecting any additional credentials that flow by. Those freshly collected passwords are then fed back into the scanner to compromise even more devices. The system feeds itself.
To view the research, please see FortiBleed: How 30,000 Fortinet Firewalls Exposed Corporate Networks Quietly
Share this:
Like this:
Related
This entry was posted on June 16, 2026 at 11:59 am and is filed under Commentary with tags SOCRadar. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.