xmark.svg
email

اطلب عرضًا تجريبيًا مجانيًا

جاهز للبدء؟ نحن هنا للمساعدة. املأ معلومات شركتك وسنقوم بالاتصال بك في أقرب وقت ممكن.

img-form.svg
xmark.svg
email

الاتصال بالشريك

جاهز للبدء؟ نحن هنا للمساعدة. املأ معلومات شركتك وسنقوم بالاتصال بك في أقرب وقت ممكن.

img-form.svg
email

تم إرسال البريد الإلكتروني

We've sent you an email to the required partner.

xmark.svg

تم اختراقه!

تظهر سجلاتنا أن بيانات الاعتماد قد تسربت بسبب اختراق البيانات.


لا تقلق، نحن هنا للمساعدة. اطلب عرضًا تجريبيًا أدناه وسنساعدك في تحديد وتتبع الاختراق.

img-form.svg
xmark.svg

تم اختراقه!

تظهر سجلاتنا أن بيانات الاعتماد قد تسربت بسبب اختراق البيانات.


لا تقلق، نحن هنا للمساعدة. اطلب عرضًا تجريبيًا أدناه وسنساعدك في تحديد وتتبع الاختراق.

تُظهر سجلاتنا أن بريدك الإلكتروني تعرض للاختراق كجزء من إصابة ببرنامج سرقة المعلومات!


برامج سرقة المعلومات هي برامج ضارة يمكنها سرقة معلومات حساسة، بما في ذلك البريد الإلكتروني وكلمات المرور وبطاقات الائتمان وغيرها من البيانات الشخصية من الأجهزة المصابة.


نوصي باتباع هذه الخطوات على الفور:

  • قم بتغيير كلمات المرور الخاصة بك فوراً.

  • قم بتمكين المصادقة الثنائية (2FA) كلما أمكن.

  • قم بمراجعة النشاط الأخير على بريدك الإلكتروني للتحقق من تسجيلات دخول أو معاملات غير عادية.

  • قم بفحص جهازك بحثاً عن البرمجيات الضارة باستخدام برنامج مكافحة فيروسات موثوق لإزالة أي تهديدات.

  • تأكد من أن نظام التشغيل والبرامج لديك محدثة إلى أحدث الإصدارات.

  • تأكد من عدم تثبيت أي برامج مكسورة على جهاز الكمبيوتر الخاص بك.

img-form.svg
xmark.svg

غير موجود!

لا توجد تسريبات مرتبطة بشركتك حتى الآن!


Our comprehensive feeds are updated twice a day, which means every day is a possibility of capturing data related to your organization. We recommend to request a demo for detailed explanation of our services and how we can help you prevent data breaches in advance.

خبر سار - لا تسريبات!

لم يتم العثور على عنوان بريدك الإلكتروني في سجلات البرمجيات الخبيثة الخاصة بسرقة المعلومات أو القوائم المجمعة المخترقة.

img-form.svg

يبدو أن معلوماتك آمنة. استمر في اتباع ممارسات الأمان الجيدة لحماية حساباتك!


تابعنا:

xmark.svg

البحث في:

  • سجلات سرقة المعلومات

  • مصادر حشو بيانات الاعتماد

  • قوائم مجمعة (ULP)

  • سجلات حملات التصيد

email
xmark.svg

بالدعوة فقط

نحن نستند على الدعوة فقط. يرجى طلب عرض تجريبي لتتمكن من التسجيل/تسجيل الدخول.

email
xmark.svg

شكرًا للاشتراك!

سنرسل لك بريدًا إلكترونيًا لأي تحديثات، منشورات المدونة، أبحاث جديدة وغير ذلك!





FortiBleed When the Firewall Becomes the Front Door

بواسطة Darkentry Team

آخر تحديث Jul 03, 2026 - 16 دقائق للقراءة

A large-scale exposure of Fortinet/FortiGate credentials has put tens of thousands of perimeter devices at risk. Here is what happened, why it matters, and how security teams should respond.

Executive Summary

Security researchers have disclosed a sweeping credential-harvesting campaign, tracked under the name “FortiBleed,” that has compromised valid login credentials for tens of thousands of internet-facing Fortinet firewalls and SSL VPN portals worldwide. The exposed accounts span enterprises, financial institutions, and government bodies across 190+ countries. Because these are working credentials to perimeter security appliances, the exposure provides attackers with a direct, authenticated path into corporate networks that bypasses many traditional defenses. This briefing explains how the credentials were likely obtained, why firewall and VPN credential leaks are uniquely dangerous, how threat actors operationalize them, and the concrete steps organizations should take now.

What Is FortiBleed?

FortiBleed” is the name assigned by threat intelligence analysts to a body of exposed credential data tied specifically to Fortinet perimeter devices, primarily FortiGate firewalls and their associated SSL VPN web portals. Reporting indicates the dataset contains more than 70,000 distinct firewall login URLs, with affected hosts identified across 190+ countries.

It is important to frame this accurately. FortiBleed is not, at its core, a single zero-day exploit firing across the internet. It is a credential-exposure event: a large collection of valid usernames and passwords mapped to the management and VPN login pages of Fortinet appliances. The danger lies not in a novel vulnerability but in the fact that the keys to the perimeter are already in circulation. For a defender, that distinction matters, because patching alone does not close an exposure built on legitimate credentials.

The affected hosts share a recognizable fingerprint: bare IP addresses or hostnames serving a login page over HTTPS, frequently on non-standard management ports. These are exactly the externally reachable interfaces that organizations expose to enable remote administration and remote-access VPN, and exactly the interfaces an attacker most wants to reach.

 

Scope and Impact of the Exposure

The breadth of the exposure is what elevates FortiBleed from a routine credential leak to a systemic concern. Several characteristics stand out:

     Scale: Tens of thousands of unique firewall login endpoints are represented, indicating the harvesting was broad and opportunistic rather than narrowly targeted.

     Global distribution: Affected devices appear across nearly every region, including high-value organizations in finance, energy, telecommunications, and government services.

     Sector sensitivity: Many of the impacted entities operate critical infrastructure or hold regulated data, raising the stakes of any successful intrusion well beyond a single compromised host.

     Persistent exposure: A significant proportion of affected devices remained internet-accessible after the credentials were harvested, meaning the window for abuse stayed open long after the initial compromise.

In practical terms, every entry in a dataset like this represents a potential pre-authentication foothold. An attacker does not need to develop an exploit or evade a vulnerability scanner; they need only to log in. That economy of effort is precisely what makes valid-account exposure so attractive to intrusion operators and initial access brokers alike.

 

How Attackers Likely Harvested the Credentials

Saved browser credentials — username, password, and the URL they belong to — are exactly what infostealer malware ships back to its operator.

 

No single mechanism explains an exposure of this size. Based on the patterns researchers have described and on well-established tradecraft, the credentials were almost certainly aggregated from several overlapping sources:

Information-stealer malware

The dominant source of large modern credential datasets is infostealer malware. When a stealer infects an employee, contractor, or administrator workstation, it harvests credentials saved in browsers, VPN clients, and password stores. Critically, it also records the URL each credential was saved against. When an administrator has saved a FortiGate login in their browser, the resulting stealer log contains the firewall’s address, the username, and the password as a neatly packaged triple. Aggregated across many infections, these logs produce exactly the kind of URL-to-credential mapping observed in FortiBleed.

Historical vulnerability exploitation

Fortinet appliances have been the subject of multiple high-impact vulnerabilities over the past several years, including flaws that allowed credential or configuration disclosure. Credentials extracted during earlier exploitation waves can persist in attacker hands for years, especially where passwords were never rotated after patching. Some entries in a dataset of this kind may trace back to those earlier campaigns.

Configuration and secret exposure

Leaked or misconfigured device backups, exposed configuration files, and reused administrative passwords all contribute to the pool. Once a configuration file leaks, it can reveal not only credentials but also network topology, VPN settings, and trust relationships that make subsequent abuse far easier.

The common thread is that none of these vectors requires breaching the firewall at the moment of attack. The credential was captured elsewhere, often on an endpoint the security team never associated with the perimeter device, and then resold, traded, or published on underground sources.

Why Compromised Firewall Credentials Are Critical

 

Firewalls and VPN concentrators occupy a uniquely sensitive position. They sit at the network boundary, they are deliberately exposed to the internet, and they are trusted to enforce the very controls that separate “outside” from “inside.” A valid credential to one of these devices undermines that trust at its foundation.

     They bypass perimeter defenses by design. An authenticated VPN login is expected, legitimate traffic. It does not trip intrusion-detection signatures the way an exploit would, and it often originates from infrastructure designed to look ordinary.

     They grant network-level access. Unlike a single compromised SaaS account, a firewall or VPN login frequently places the attacker directly onto the internal network, behind the perimeter, with routable access to internal systems.

     They enable persistence. Administrative access to the appliance itself lets an attacker create rogue accounts, alter firewall rules, disable logging, or establish covert tunnels that survive password resets elsewhere.

     They are hard to detect. Because the activity is authenticated and the device is trusted, abuse can blend into normal administrative and remote-work patterns for extended periods.

This is why initial access brokers prize perimeter-device credentials so highly. A working firewall login is among the most direct routes to a full enterprise compromise, and it commands a premium on underground markets precisely because of how much downstream access it unlocks.

How Threat Actors Weaponize Exposed Credentials

Exposed perimeter credentials rarely sit idle. They feed a well-defined operational workflow that intrusion operators repeat across victims:

1.   Validation. Operators test harvested credentials at scale to confirm which logins still work, discarding stale entries and prioritizing live access.

2.   Initial access. Using a valid VPN or firewall login, the attacker authenticates directly into the environment, with no exploit, no malware delivery, and no phishing required at this stage.

3.   Reconnaissance and privilege escalation. Once inside, the attacker maps internal systems, identifies domain controllers and high-value hosts, and seeks paths to elevate privileges, often abusing additional weak or reused credentials discovered internally.

4.   Lateral movement. Leveraging native tools and stolen credentials, the attacker moves between hosts, expanding control while minimizing the use of obvious malware.

5.   Objective execution. The endgame varies: data theft and extortion, deployment of ransomware across the estate, or quiet long-term espionage. In ransomware cases, perimeter access dramatically shortens the time from intrusion to encryption.

Frequently, the operator who harvests or buys the credential is not the one who executes the final objective. Initial access brokers specialize in obtaining and validating footholds, then selling them to ransomware affiliates or other actors. This division of labor means a single exposed firewall credential can change hands several times, each transaction increasing the likelihood that it is eventually used against the organization.

Indicators Organizations Should Monitor

Detecting abuse of exposed perimeter credentials requires looking at the right signals. Security teams should watch for:

     VPN or firewall administrative logins from unfamiliar geolocations, hosting providers, or anonymizing infrastructure.

     Successful authentications to perimeter devices outside of normal administrative hours or from accounts that rarely log in remotely.

     Creation of new local accounts, unexpected changes to firewall rules, or modifications to logging and VPN configuration on perimeter appliances.

     Impossible-travel patterns or concurrent sessions for the same VPN account from disparate locations.

     Appearances of corporate domains, device hostnames, or administrator usernames in infostealer logs and underground credential dumps.

The last point is decisive. By the time anomalous logins appear in firewall telemetry, the attacker may already be inside. Identifying the exposed credential before it is used, while it is still circulating in a stealer log or on an underground forum, is the difference between prevention and incident response.

Recommended Mitigations

Closing a credential-based exposure requires more than patching. The following actions, prioritized for impact, address both the immediate risk and the conditions that allowed it:

     Rotate all perimeter credentials now. Treat every administrative and VPN account on internet-facing Fortinet devices as potentially exposed. Reset passwords and invalidate active sessions — including service and break-glass accounts.

     Enforce multi-factor authentication everywhere. MFA on VPN and administrative access is the single most effective control against valid-account abuse. A harvested password is far less useful when a second factor stands between it and access.

     Restrict management exposure. Administrative interfaces should not be reachable from the open internet. Limit access to trusted source addresses, place management behind a bastion or out-of-band network, and disable unused remote-access features.

     Patch and verify firmware. Apply current Fortinet firmware and confirm that historical vulnerabilities are fully remediated. This means not merely patched, but followed by credential rotation, since patching does not expel an attacker who already holds valid logins.

     Audit device configuration. Review firewall rules, local accounts, administrative profiles, and VPN settings for unauthorized changes. Look specifically for rogue accounts and altered logging.

     Harden the endpoint estate. Because infostealers are a primary source of these credentials, strengthen endpoint protection, restrict credential storage in browsers for privileged users, and treat any stealer infection on an administrator’s machine as a potential perimeter compromise.

     Strengthen monitoring and logging. Ensure perimeter devices forward authentication and configuration-change logs to a monitored SIEM, and build detections for the indicators listed above.

     Establish continuous exposure monitoring. Proactively track whether corporate credentials, domains, and device identifiers surface in underground sources, so exposed logins can be rotated before they are weaponized.

Why Continuous Dark Web Monitoring Matters

FortiBleed underscores a shift in how enterprises are breached. The decisive event is increasingly not an exploit fired at the perimeter but a credential quietly harvested from an endpoint and circulated through underground channels weeks or months before it is used. Defenses focused solely on the moment of attack miss this earlier, more actionable window.

Continuous monitoring of underground sources, stealer-log marketplaces, and credential-trading channels gives security teams visibility into that window. When an organization learns that its firewall login appears in a fresh dataset, it can rotate the credential, force re-authentication, and harden the device before an attacker validates and uses it. This reframes exposure from an after-the-fact discovery into an early-warning signal.

This is the role DarkEntry is built to fill. By tracking credential exposure and dark web activity tied to an organization’s domains, infrastructure, and people, DarkEntry helps security teams identify compromised perimeter and VPN credentials early, turning leaked data into a defensive advantage rather than the opening move of an intrusion.

Key Takeaways

     FortiBleed is a large-scale exposure of valid Fortinet firewall and SSL VPN credentials affecting tens of thousands of devices worldwide.

     The core risk is valid-account abuse: working credentials let attackers authenticate straight past perimeter defenses.

     Infostealer malware, historical vulnerability exploitation, and configuration leaks are the most likely sources of the exposed credentials.

     Perimeter-device credentials are sought after by initial access brokers because they unlock direct, network-level access and enable persistence.

     Patching alone is insufficient. Credentials must be rotated, MFA enforced, and management exposure reduced.

     Continuous dark web and credential-exposure monitoring provides the early warning needed to act before exposed logins are weaponized.

Regional Exposure: Affected Organizations Across the Arab World

While FortiBleed is global in reach, the exposure carries particular weight across the Arab region, where a concentrated set of high-value organizations appears in the dataset. DarkEntry has identified 115 affected domains spanning seven countries: the United Arab Emirates, Qatar, Egypt, Kuwait, Saudi Arabia, Oman, and Libya. The affected entities are not limited to a single industry. They include telecommunications carriers, banks and investment firms, government ministries, law enforcement bodies, healthcare providers, energy and construction companies, education institutions, and hospitality operators.

The concentration of government and critical-infrastructure domains in this regional subset is notable. A working credential to a perimeter device operated by a ministry, a police authority, or a national telecom carrier offers an attacker a direct foothold into networks that hold sensitive citizen data and underpin essential services. Each organization listed below should treat its Fortinet management and VPN credentials as exposed, rotate them immediately, and review perimeter devices for unauthorized access.

Domains affected by Country

Country

Affected Domains

United Arab Emirates

49

Qatar

22

Egypt

19

Kuwait

14

Saudi Arabia

6

Oman

3

Libya

2

Total

115

 

Full List of Affected Organizations

Domain

Country

Sector

aaadubai.com

United Arab Emirates

Automotive Services

abcdubai.net

United Arab Emirates

Business Associations / Chambers of Commerce

access-dubai.com

United Arab Emirates

Business Consulting & Corporate Services

adek.gov.ae

United Arab Emirates

Government & Education

agu.ac.ae

United Arab Emirates

Education & Academia

appdubai.ae

United Arab Emirates

Information Technology

awqaf.gov.ae

United Arab Emirates

Government & Religious Affairs

citynetdubai.com

United Arab Emirates

Information Technology & Network Services

cpecc.ae

United Arab Emirates

Energy & Engineering

cqdubai.com

United Arab Emirates

Construction & Real Estate

dhmun.shj.ae

United Arab Emirates

Government & Municipal Services

dmt.gov.ae

United Arab Emirates

Government & Urban Planning

dubaiplatform.com

United Arab Emirates

Media & Information Portals

e3dubai.com

United Arab Emirates

Events & Marketing

egov.fujairah.ae

United Arab Emirates

Government & Digital Services

ehs.gov.ae

United Arab Emirates

Government & Healthcare

eim.ae

United Arab Emirates

Automotive & Machinery

emaar.ae

United Arab Emirates

Real Estate & Development

emirates.net.ae

United Arab Emirates

Telecommunications & ISP

etihadwe.ae

United Arab Emirates

Government & Utilities

etisalat.ae

United Arab Emirates

Telecommunications

fng.ae

United Arab Emirates

Conglomerate / Diversified

hindutempledubai.com

United Arab Emirates

Religious Institution / Community

infosalons.ae

United Arab Emirates

Events & Technology

jmsdubai.com

United Arab Emirates

Trading & Commercial Services

mbrsc.ae

United Arab Emirates

Aerospace & Technology

mfldubai.com

United Arab Emirates

Manufacturing & Industrial

mhsolutionsdubai.com

United Arab Emirates

Business Services & Consulting

netwaydubai.com

United Arab Emirates

Information Technology & Telecommunications

neweradubai.com

United Arab Emirates

Trading & Wholesale

nicuae.ae

United Arab Emirates

Real Estate & Investment

nihalhoteldubai.ae

United Arab Emirates

Hospitality & Tourism

nnhs.ae

United Arab Emirates

Healthcare

npcc.ae

United Arab Emirates

Energy, Oil & Gas Construction

odeondubai.ae

United Arab Emirates

Food & Beverage / Restaurant

onetouchdubai.com

United Arab Emirates

Information Technology

oscdubai.com

United Arab Emirates

Industrial Manufacturing

provis.ae

United Arab Emirates

Real Estate & Property Management

psd.rak.ae

United Arab Emirates

Government & Public Works

purplerockdubai.com

United Arab Emirates

Information Technology & Cyber Security

ramadadowntowndubai.com

United Arab Emirates

Hospitality & Tourism

romeodubai.com

United Arab Emirates

Interior Design & Contracting

saintmarysdubai.org

United Arab Emirates

Education / Religious Institution

savoydubai.ae

United Arab Emirates

Hospitality & Tourism

shjpolice.gov.ae

United Arab Emirates

Government & Law Enforcement

srta.gov.ae

United Arab Emirates

Government & Transportation

uab.ae

United Arab Emirates

Banking & Finance

verde-dubai.com

United Arab Emirates

Food & Beverage / Restaurant

vudubai.com

United Arab Emirates

Entertainment & Lifestyle Portals

aeb-qatar.com

Qatar

Architecture & Engineering

alandalus.qa

Qatar

Education

almeera.com.qa

Qatar

Retail & Consumer Goods

arabiqatar.com

Qatar

Engineering & Trading

atcom.com.qa

Qatar

Technology & Communications

dchqatar.com

Qatar

Healthcare

diss.com.qa

Qatar

Education & Safety Training

ezdanholding.qa

Qatar

Real Estate & Investment Holding

ezdanpalace.qa

Qatar

Hospitality & Tourism

fsqatar.com

Qatar

Facility Management & Services

mbkgroup.qa

Qatar

Conglomerate / Diversified

msdf.gov.qa

Qatar

Government & Social Development

oryx.edu.qa

Qatar

Education & Academia

qatar.net.qa

Qatar

Telecommunications & ISP

qcareqatar.qa

Qatar

Medical Equipment & Services

qcbc.com.qa

Qatar

Healthcare & Biotechnology

qimc.com.qa

Qatar

Manufacturing & Industrial Investment

rmart.qa

Qatar

Retail & Supermarkets

seamlessqatar.com

Qatar

Events & Technology

technosoft.qa

Qatar

Information Technology

tqamsa.com

Qatar

Professional Associations / Services

vodafone.qa

Qatar

Telecommunications

afaaqegypt.com

Egypt

Finance & Investment

almansour.com.eg

Egypt

Automotive & Retail

alqaed-eg.com

Egypt

Manufacturing & Trading

breadfast.com

Egypt

E-commerce & Food Delivery

egyptseaagency.com

Egypt

Shipping & Maritime

egyscan.com

Egypt

Healthcare & Diagnostics

mediterraneo-egypt.com

Egypt

Agriculture & Commodities

myf-egypt.org

Egypt

Non-Profit & Healthcare

nacegypt.com

Egypt

Education

nfsa.gov.eg

Egypt

Government & Food Safety

nppa.gov.eg

Egypt

Government & Energy

premieregypt.com

Egypt

Financial Services

ris-egy.com

Egypt

Education

seegypt.com

Egypt

Tourism & Hospitality

sodicclubs.com

Egypt

Sports & Real Estate Leisure

tatariegypt.com

Egypt

Textiles & Manufacturing

thg-egypt.com

Egypt

Healthcare & Pharmaceuticals

vantageegypt.com

Egypt

Food & Beverage

watanegypt.tv

Egypt

Media & Broadcasting

alsafakw.org.kw

Kuwait

Non-Profit & Charity

bestwesternkuwait.com

Kuwait

Hospitality & Tourism

bicargo.com.kw

Kuwait

Shipping & Logistics

cinnabonkuwait.com

Kuwait

Food & Beverage

gpfkuwait.com

Kuwait

Finance & Investment

kotc.com.kw

Kuwait

Shipping & Logistics

kuwaitroute.com

Kuwait

Travel & Tourism

rankkuwait.com

Kuwait

Marketing & Advertising

regency.com.kw

Kuwait

Hospitality & Tourism

sak.com.kw

Kuwait

Real Estate & Construction

sultan.com.kw

Kuwait

Retail & Consumer Goods

ufm.com.kw

Kuwait

Media & Broadcasting

ulckuwait.com

Kuwait

Legal Services

wecarekuwait.com

Kuwait

Healthcare

alromansiah.com

Saudi Arabia

Food & Beverage / Restaurant

hgsaudi.com

Saudi Arabia

Conglomerate / Diversified

kamcosaudi.com

Saudi Arabia

Finance & Investment

moc.gov.sa

Saudi Arabia

Government & Public Sector

necsaudi.com

Saudi Arabia

Engineering & Construction

tanmiah.com

Saudi Arabia

Agriculture & Food Production

atifoman.com

Oman

Logistics & Trading

stsoman.com

Oman

Engineering & Construction

ufcoman.com

Oman

Food & Agriculture Production

csc.gov.ly

Libya

Government & Civil Service

libyanairlines.aero

Libya

Aviation & Airlines
 

Conclusion

FortiBleed is a clear reminder that the perimeter remains a high-value target, and the appliances meant to protect the network can become the most efficient way into it. The threat does not stem from a single flaw but from the steady accumulation and trade of valid credentials — credentials that bypass the very controls organizations rely on. The organizations that fare best will be those that rotate aggressively, enforce strong authentication, minimize exposed management surfaces, and maintain continuous visibility into where their credentials end up. In an environment where a working login is worth more than an exploit, knowing what attackers already hold is no longer optional.

هل أنت مستعد للبدء؟ نحن هنا للمساعدة! اطلب عرضًا توضيحيًا أدناه: