xmark.svg
email

اطلب عرضًا تجريبيًا مجانيًا

جاهز للبدء؟ نحن هنا للمساعدة. املأ معلومات شركتك وسنقوم بالاتصال بك في أقرب وقت ممكن.

img-form.svg
xmark.svg
email

الاتصال بالشريك

جاهز للبدء؟ نحن هنا للمساعدة. املأ معلومات شركتك وسنقوم بالاتصال بك في أقرب وقت ممكن.

img-form.svg
email

تم إرسال البريد الإلكتروني

We've sent you an email to the required partner.

xmark.svg

تم اختراقه!

تظهر سجلاتنا أن بيانات الاعتماد قد تسربت بسبب اختراق البيانات.


لا تقلق، نحن هنا للمساعدة. اطلب عرضًا تجريبيًا أدناه وسنساعدك في تحديد وتتبع الاختراق.

img-form.svg
xmark.svg

تم اختراقه!

تظهر سجلاتنا أن بيانات الاعتماد قد تسربت بسبب اختراق البيانات.


لا تقلق، نحن هنا للمساعدة. اطلب عرضًا تجريبيًا أدناه وسنساعدك في تحديد وتتبع الاختراق.

تُظهر سجلاتنا أن بريدك الإلكتروني تعرض للاختراق كجزء من إصابة ببرنامج سرقة المعلومات!


برامج سرقة المعلومات هي برامج ضارة يمكنها سرقة معلومات حساسة، بما في ذلك البريد الإلكتروني وكلمات المرور وبطاقات الائتمان وغيرها من البيانات الشخصية من الأجهزة المصابة.


نوصي باتباع هذه الخطوات على الفور:

  • قم بتغيير كلمات المرور الخاصة بك فوراً.

  • قم بتمكين المصادقة الثنائية (2FA) كلما أمكن.

  • قم بمراجعة النشاط الأخير على بريدك الإلكتروني للتحقق من تسجيلات دخول أو معاملات غير عادية.

  • قم بفحص جهازك بحثاً عن البرمجيات الضارة باستخدام برنامج مكافحة فيروسات موثوق لإزالة أي تهديدات.

  • تأكد من أن نظام التشغيل والبرامج لديك محدثة إلى أحدث الإصدارات.

  • تأكد من عدم تثبيت أي برامج مكسورة على جهاز الكمبيوتر الخاص بك.

img-form.svg
xmark.svg

غير موجود!

لا توجد تسريبات مرتبطة بشركتك حتى الآن!


Our comprehensive feeds are updated twice a day, which means every day is a possibility of capturing data related to your organization. We recommend to request a demo for detailed explanation of our services and how we can help you prevent data breaches in advance.

خبر سار - لا تسريبات!

لم يتم العثور على عنوان بريدك الإلكتروني في سجلات البرمجيات الخبيثة الخاصة بسرقة المعلومات أو القوائم المجمعة المخترقة.

img-form.svg

يبدو أن معلوماتك آمنة. استمر في اتباع ممارسات الأمان الجيدة لحماية حساباتك!


تابعنا:

xmark.svg

البحث في:

  • سجلات سرقة المعلومات

  • مصادر حشو بيانات الاعتماد

  • قوائم مجمعة (ULP)

  • سجلات حملات التصيد

email
xmark.svg

بالدعوة فقط

نحن نستند على الدعوة فقط. يرجى طلب عرض تجريبي لتتمكن من التسجيل/تسجيل الدخول.

email
xmark.svg

شكرًا للاشتراك!

سنرسل لك بريدًا إلكترونيًا لأي تحديثات، منشورات المدونة، أبحاث جديدة وغير ذلك!





test kareem 3

بواسطة Darkentry Team

آخر تحديث Jul 02, 2026 - 16 دقائق للقراءة

THREAT INTELLIGENCE BRIEFING

FortiBleed: When the Firewall Becomes the Front Door

A large-scale exposure of Fortinet/FortiGate credentials has put tens of thousands of perimeter devices at risk. Here is what happened, why it matters, and how security teams should respond.

Executive Summary

Security researchers have disclosed a sweeping credential-harvesting campaign, tracked under the name “FortiBleed,” that has compromised valid login credentials for tens of thousands of internet-facing Fortinet firewalls and SSL VPN portals worldwide. The exposed accounts span enterprises, financial institutions, and government bodies across nearly 200 countries. Because these are working credentials to perimeter security appliances, the exposure provides attackers with a clean, authenticated path into corporate networks that bypasses many traditional defenses. This briefing explains how the credentials were likely obtained, why firewall and VPN credential leaks are uniquely dangerous, how threat actors operationalize them, and the concrete steps organizations should take now.

 

What Is FortiBleed?

“FortiBleed” is the name assigned by threat intelligence analysts to a body of exposed credential data tied specifically to Fortinet perimeter devices, primarily FortiGate firewalls and their associated SSL VPN web portals. Reporting indicates the dataset references on the order of 70,000 or more distinct firewall login URLs, with affected hosts identified across 190+ countries.

It is important to frame this accurately. FortiBleed is not, at its core, a single zero-day exploit detonating across the internet. It is a credential-exposure event: a large collection of valid usernames and passwords mapped to the management and VPN login pages of Fortinet appliances. The danger lies not in a novel vulnerability but in the fact that the keys to the perimeter are already in circulation. For a defender, that distinction matters, because patching alone does not close an exposure built on legitimate credentials.

The affected hosts share a recognizable fingerprint: bare IP addresses or hostnames serving a login page over HTTPS, frequently on non-standard management ports. These are exactly the externally reachable interfaces that organizations expose to enable remote administration and remote-access VPN, and exactly the interfaces an attacker most wants to reach.

 

Scope and Impact of the Exposure

The breadth of the exposure is what elevates FortiBleed from a routine credential leak to a systemic concern. Several characteristics stand out:

•      Scale: Tens of thousands of unique firewall login endpoints are represented, indicating the harvesting was broad and opportunistic rather than narrowly targeted.

•      Global distribution: Affected devices appear across nearly every region, including high-value organizations in finance, energy, telecommunications, and government services.

•      Sector sensitivity: Many of the impacted entities operate critical infrastructure or hold regulated data, raising the stakes of any successful intrusion well beyond a single compromised host.

•      Persistent exposure: A significant proportion of affected devices remained internet-accessible after the credentials were harvested, meaning the window for abuse stayed open long after the initial compromise.

In practical terms, every entry in a dataset like this represents a potential pre-authenticated foothold. An attacker does not need to develop an exploit or evade a vulnerability scanner; they need only to log in. That economy of effort is precisely what makes valid-account exposure so attractive to intrusion operators and initial access brokers alike.

How Attackers Likely Harvested the Credentials

No single mechanism explains an exposure of this size. Based on the patterns researchers have described and on well-established tradecraft, the credentials were almost certainly aggregated from several overlapping sources:

Information-stealer malware

The dominant source of large modern credential datasets is infostealer malware. When a stealer infects an employee, contractor, or administrator workstation, it harvests credentials saved in browsers, VPN clients, and password stores, and critically, it records the URL each credential was saved against. When an administrator has saved a FortiGate login in their browser, the resulting stealer log contains the firewall’s address, the username, and the password as a neatly packaged triple. Aggregated across many infections, these logs produce exactly the kind of URL-to-credential mapping observed in FortiBleed.

Historical vulnerability exploitation

Fortinet appliances have been the subject of multiple high-impact vulnerabilities over the past several years, including flaws that allowed credential or configuration disclosure. Credentials extracted during earlier exploitation waves can persist in attacker hands for years, especially where passwords were never rotated after patching. Some entries in a dataset of this kind may trace back to those earlier campaigns.

 

 

 

Configuration and secret exposure

Leaked or misconfigured device backups, exposed configuration files, and reused administrative passwords all contribute to the pool. Once a configuration file leaks, it can reveal not only credentials but also netwo

هل أنت مستعد للبدء؟ نحن هنا للمساعدة! اطلب عرضًا توضيحيًا أدناه: