The device that protects your network became the device that spies on your network. FortiBleed, discovered in June 2026 when the attacker''s operational server was exposed, revealed an industrial-scale operation: 430K FortiGate firewalls mapped as targets, 86K+ with verified compromised credentials, 19K+ actively being used as traffic sniffers. The firewall that should filter attacks was capturing credentials in real time. We analyzed the data and the signal is clear: this is not a code bug — it is a structural credential hygiene failure.
The scale: 430K firewalls, 86K+ credentials, 19K+ active sniffers
The numbers are what terrify. According to data exposed on the attacker''s operational server, 430K FortiGate firewalls were mapped as potential targets. Of those, 86K+ had verified compromised credentials — the attacker confirmed the credentials worked. And 19K+ were actively being used as traffic sniffers, capturing credentials in real time from the traffic flowing through them.
This is not a one-off attack. It is an industrialized operation that turned the victim''s security infrastructure into its own espionage infrastructure. Every compromised firewall becomes a permanent listening point — and collects more credentials that fuel more scanning.
The technique: FortigateSniffer and the legitimate command that becomes a weapon
The technique is what sets FortiBleed apart from conventional attacks. According to the operation analysis, a Golang tool called FortigateSniffer abuses a legitimate FortiOS command: diagnose sniffer packet. This command exists for network diagnostics — the firewall executes it as part of its normal functionality.
FortigateSniffer monitors 24 protocols: Kerberos, LDAP, SMB, RADIUS, NTLM, MySQL, FTP, Telnet, RDP, SMTP, and others. Zero malware. The firewall executes its own network diagnostic, but the attacker reads the output via SSH. The tool operates only from 07:00 to 18:00 Moscow time — business hours evasion that reduces the chance of detection by off-hours teams. GeoIP filtering restricts sniffing to specific ranges, limiting exposure to target networks. According to the data, 6,127 devices had approximately 90% SSH validation success.
The cracking infrastructure: 45 GPUs, Telegram bot, and self-feeding loop
Offline cracking is orchestrated by a 45-GPU cluster via Vast.ai, coordinated by a Telegram bot called HASHBOT. According to the operation data, the attacker does not merely crack passwords — they industrialized the process. HASHBOT manages the cracking pipeline and feeds results back into scanning.
The loop is self-feeding: credentials collected by sniffers fuel more scanning, which compromises more firewalls, which become more sniffers, which collect more credentials. Every compromised firewall is not just a victim — it is a new sensor in the attacker''s espionage network.
The numbers: 110 million credentials, but the details matter
According to the exposed data, 110 million credentials were identified across 659 collection pipelines. But the details matter: 81% are MySQL tokens (89 million). The operationally significant ones total approximately 16 million — 14.8 million RADIUS, 924K NTLM, 130K Kerberos. These are the ones that actually enable access to critical infrastructure.
The account profile is revealing: 63.3% were admin default or generic — 35% generic admin and 28.3% Fortinet built-in accounts. This is not sophisticated cracking. It is credential hygiene. A NATO defense contractor (Turkey) had classified documents and DFS backups exfiltrated. CISA issued an emergency advisory on June 18. Fortinet published a response on June 19.
Not a new vulnerability — a hygiene failure
Fortinet publicly confirmed: "This is not a new Fortinet vulnerability." Previous CVEs (CVE-2026-24858, CVE-2025-59718, CVE-2022-42475, CVE-2018-13379) created credential pools that were aggregated over time. The attacker did not need a zero-day — they needed credentials that were already compromised.
The PBKDF2 introduced in late 2025 only protected admins who logged in after the patch. The old-password field in config backups maintained legacy hashes — old passwords remained vulnerable even after the patch. And 25-character passwords appeared in the dataset via infostealers on workstations, not via cracking. Password complexity alone is not enough when the attacker collects the credential before it reaches the firewall.
The self-feeding loop: the structural threat
The self-feeding loop is the structural threat. Every compromised firewall becomes a listening point that collects more credentials, which fuel more scanning. It is an industrialized operation that sustains itself. According to Mysterium VPN, the attacker is likely SantaAd, a Russian IAB (Initial Access Broker) that sells access starting at $60K.
The business model is clear: compromise firewalls with leaked credentials, use them to collect more credentials, sell access to compromised infrastructure. The entry cost is low — default credentials and built-in accounts represent 63.3% of the total — and the return is high: access to entire corporate networks.
CISA and Fortinet: official responses
CISA issued an emergency advisory on June 18, 2026. Fortinet published an official response on June 19. Both organizations agree on one point: management interface exposure to the internet is the structural problem. There is no patch for default credentials. There is no hotfix for built-in accounts that were never rotated. The fix is architectural, not a code change.
Conclusion: you cannot patch your way out of a default credential problem
We repeat: you cannot patch your way out of a default credential problem. FortiBleed does not exploit a code bug — it exploits a hygiene failure that has persisted for years. Previous CVEs created credential pools. Built-in accounts were never rotated. Management interfaces remained exposed to the internet. PBKDF2 only protected those who logged in after the patch. Infostealers collected 25-character passwords on workstations before they reached the firewall.
The fix is credentials + MFA + remove management interfaces from the internet. There is no shortcut. At Tech86, we help companies audit and fix exactly this kind of structural failure — before the firewall that should protect the network becomes the device that spies on the network.