⚠️ CISA Alert — June 18, 2026
CISA issued an urgent advisory on June 18, 2026 urging all Fortinet FortiGate customers to take immediate action. As of June 19, 86,644 devices have been confirmed compromised. If your business runs a Fortinet firewall or VPN gateway, this requires attention today.
A large-scale credential attack campaign against Fortinet FortiGate firewalls and VPN gateways — now being tracked under the name FortiBleed — has compromised 86,644 devices across 194 countries as of June 19, 2026. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent advisory on June 18 urging Fortinet customers to take immediate remediation steps.
For businesses in Connecticut and New York running Fortinet infrastructure — including our managed clients — this is a priority response situation, not a monitor-and-wait one.
What FortiBleed Is and How It Works
FortiBleed is a fully automated, two-stage credential attack campaign believed to be the work of Russian-speaking threat actors. The attack works as follows:
- Stage 1 — Mass credential spraying. Attackers scan the internet for exposed Fortinet remote login endpoints — management interfaces and SSL VPN portals. They then spray those endpoints with a curated list of known Fortinet credentials sourced from prior data breaches and default configurations.
- Stage 2 — Passive credential harvesting. Once access is established on a device, the attacker passively monitors network traffic passing through it to collect additional credentials. Those credentials are then used to compromise more devices — creating a self-sustaining attack loop.
What makes this particularly effective is that the attack doesn't need to exploit a software vulnerability. It uses legitimate, valid credentials. The attackers verify each credential before adding it to their database. They've built what security researchers at Hudson Rock describe as a verified database of working logins for some of the largest enterprises on the planet.
Why So Many Devices Were Compromised
The scale of FortiBleed comes down to two persistent failures that are common across SMB environments:
Default and factory credentials were never changed
According to analysis from SOCRadar, generic admin accounts (35%) and built-in Fortinet system accounts (28.3%) together make up the majority of compromised credentials. That means nearly two-thirds of compromised devices were running default or factory accounts that were never renamed or rotated. The attacker had a highly reliable target list before any brute force was even needed.
Legacy password hashing left credentials exposed
Fortinet introduced stronger PBKDF2-based password hashing in FortiOS 7.2.11, 7.4.8, and 7.6.1, replacing a weaker legacy SHA-256 mechanism. The problem: when organizations upgrade from earlier versions, existing administrator passwords remain stored as the weaker SHA-256 hash until that administrator logs in after the upgrade. Many organizations never completed that final step, leaving their credentials in a format the attackers could crack more easily.
The result: organizations that thought they had upgraded to a more secure version were still carrying vulnerable credential storage from their previous configuration.
Who Is Being Targeted
The top three impacted sectors are telecom, government, and education — but FortiBleed is not a targeted campaign. It's opportunistic at scale. The most affected countries are India, the U.S., Mexico, Colombia, and Thailand. Financial services, legal, and healthcare organizations — the verticals we serve — all appear in the compromised dataset.
If your Fortinet device has a management interface or SSL VPN portal exposed to the internet with default accounts or unrotated credentials, your exposure is real.
What CISA Is Telling You to Do Right Now
CISA's June 18 advisory is specific. These are not general recommendations — they are concrete actions to take immediately:
1. Terminate all active SSL VPN and administrative sessions
Kill current sessions before taking any other action. Active sessions may already be attacker-controlled, and resetting passwords while a session is active doesn't immediately remove access.
2. Reset all Fortinet VPN and administrative passwords
Every administrative account on every internet-facing Fortinet device. Use strong, unique passwords — not variations of previous passwords that may already be in the attacker's dataset.
3. Enforce PBKDF2 password hashing for all administrator credentials
Verify that your FortiOS version supports PBKDF2 (7.2.11, 7.4.8, or 7.6.1+) and that all administrators have logged in post-upgrade so their credentials are stored with the stronger hashing mechanism. Remove any remaining legacy SHA-256 hashes.
4. Enable phishing-resistant MFA on all external gateways and admin interfaces
MFA should already be on your Fortinet management interfaces. If it isn't, enabling it now is the highest-priority control you can add. Phishing-resistant MFA — hardware keys or certificate-based authentication — is preferred over SMS or app-based push for administrative access.
5. Review logs for signs of unauthorized access
Check your firewall logs, VPN authentication logs, and domain controller logs for suspicious activity — unauthorized configuration changes, logins from unusual geographies or at unusual hours, or sign-ins from unknown devices. If you find evidence of unauthorized access, treat it as an active incident and escalate accordingly.
6. Reduce your attack surface
If your Fortinet management interface doesn't need to be internet-accessible, take it off the internet. Restrict administrative access to known IP ranges or require it to go through a separate management network or zero-trust access path.
What This Means If You Use Fortinet
Fortinet's own statement characterizes the data involved as likely coming from prior incidents and brute-force attacks rather than a new vulnerability — which is consistent with what researchers have documented. But that framing shouldn't minimize the urgency. The credentials are real. The access is real. And the attack is ongoing.
The U.K. National Cyber Security Centre (NCSC) has confirmed FortiBleed as a global campaign and described it as using brute-force, dictionary attacks, and credential stuffing against internet-facing Fortinet devices. The combination of poor password hygiene, unchanged default accounts, and legacy credential storage created the conditions for a breach at this scale.
If You're a Moore Technology Consulting Client
We are actively reviewing all managed Fortinet environments this week in response to this advisory. If you have questions about your specific configuration or want to confirm your exposure status, reach out directly — don't wait for your next scheduled check-in.
What to Do If You're Not a Managed Client
If you're running Fortinet infrastructure and managing it yourself or with a break-fix provider, the six CISA actions above are your immediate checklist. The most time-sensitive items are terminating active sessions and resetting passwords — those can be done today without waiting for a maintenance window.
If you're not certain whether your Fortinet device has its management interface exposed to the internet, check your firewall rules and verify what's accessible from outside your network. Exposure you don't know about is the most dangerous kind.
Sources
- CISA Advisory: Urges Hardening of Fortinet Devices, June 18, 2026
- The Hacker News: CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices
- UK NCSC Advisory on FortiBleed Global Campaign