RSS

An update on FortiBleed – what's happening with victim orgs

882542F3884314B1 pts0 comments

An update on FortiBleed — what’s happening with victim orgs | by Kevin Beaumont | Jun, 2026 | DoublePulsarSitemapOpen in appSign up<br>Sign in

Medium Logo

Get app<br>Write

Search

Sign up<br>Sign in

Mastodon

DoublePulsar

Cybersecurity from the trenches, written by Kevin Beaumont. Opinions are of the author alone, not their employer.

An update on FortiBleed — what’s happening with victim orgs

Kevin Beaumont

7 min read·<br>2 days ago

Listen

Share

Two days ago I wrote something about FortiBleed:<br>FortiBleed — 75k Fortinet firewalls have admin passwords cracked<br>A look inside a massive dump of allowing access to organisations protected by Fortigate firewall solutions.

doublepulsar.com

Fortinet told media orgs the data was from prior breaches and bruteforcing. That isn’t true — or at least, not the full story. We’ll get into that in this blog. I’ve been working with impacted organisations to help them remediate — they’ve given me logs in return.<br>CloudSEK has a really good look inside the threat actor infrastructure here, it’s well worth a look if you’re a breach nerd:<br>Inside the FortiBleed Open Directory: A Technical Analysis of What the Attacker Left Behind |…<br>An exposed attacker server has revealed FortiBleed's complete operation-from credential harvesting and GPU-powered…

www.cloudsek.com

CloudSEK’s blog is great but there’s around certain areas I’d like to add context to. For example, the reason certain password credentials are repeated across victims is because a ransomware group was backdooring devices a while ago — using the same passwords. In fact, from looking into this — a staggering amount of Fortigate customers are already backdoored essentially via dormant admin accounts, waiting for future breaches.<br>I disagree on their conclusion — yes, only about a thousand orgs were definitely compromised internally by this attacker based on the opendir evidence, however they performed logins at scale, performed full config exports and cracked credentials at scale across tens of thousands of Fortigate devices. They are currently trying to resell these credentials. Also, a thousand orgs getting pwned in itself is.. not fun. Let’s get into my perspective.<br>How they did it<br>The attacker made an big error and put parts of their attack infrastructure in an open directory anybody could access at 85.11.187.8 on port 9999. This gives much evidence about what they were up to.<br>The attacker essentially scanned the internet, discovered Fortigate boxes, logged in (it’s not quite clear exactly how this bit worked, but more likely prior unpatched vulnerabilities or prior backdoor admin accounts) and then exported the full Fortigate configuration. Then, offline, they cracked the password hashes to reveal plain text passwords of all users on the box. They are currently attempting to sell the credentials online on forums as FortiVPN client credentials. This will allow follow on breaches.<br>The password cracking was hosted at a GenAI company which rents GPU compute. The attacker rented 36 enterprise class GPUs — more than most large orgs have for internal AI efforts — and instead of using it for AI tasks, they used them for password cracking. Enterprise GPUs can crack passwords at scale very quickly.<br>This is a side impact of the drunk GenAI stupidity gripping organisations worldwide. Getting a 36 Nvidia GPU cluster a few years ago would have required talking to providers, getting racks and lots of setup. Now? Get a VISA card, rent by the hour and log in a few minutes later. All your irreversibly encrypted passwords aren’t looking so hot in the age of on demand compute at scale, where attackers who put things in open web directories can bruteforce large volumes of passwords at scale.<br>Press enter or click to view image in full size

pic from CloudSek, borrowed from the threat actorConfig dumping at scale<br>All of the orgs I’ve helped have experienced dumping of their Fortigate configs over the past month. Every one was a listed FortiBleed victim, and every one had their configs exported.<br>It is visible in Fortigate logs — go to System, Events, and filter Messages for config (or *config* depending on version of FortiOS). You will see messages saying the config has been exported, and list a user. You’ll see a mix of admins and REST API accounts doing the exports.<br>Here are IPs I have seen exporting device configs during the past month:<br>193.8.186.7<br>80.75.212.113<br>213.21.239.65<br>208.94.246.58<br>69.195.129.144<br>96.45.42.173 (yes, this one is Fortigate’s ASN and their SASE solution — no, I don’t know how this is happening).<br>These configs then had passwords cracked by the threat actor — giving them a large volume of new credentials.<br>I have published the full unredacted IP list of devices with known credentials and config dumps here — the victims, if you want to identify yourself:<br>http://owned.lab6.com/~gossi/research/public/fortibleed/some-fortibleed-ips.txt<br>GAYINT has published the victim domain list — to be clear, this is based on the Fortiguard...

fortibleed orgs fortigate passwords credentials from

Related Articles

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.