xmark.svg
email

Request Free Demo

Ready to get started? We're here to help. Fill-in your corporate info and we will contact you ASAP.

img-form.svg
xmark.svg
email

Contact Partner

Ready to get started? We're here to help. Fill-in your corporate info and we will contact you ASAP.

img-form.svg
email

Email Was Sent

We've sent you an email to the required partner.

xmark.svg

Compromised!

Our records shows leaked corporate credentials due to a data breach!


No worries, we are here to Help. Request a demo below using your business Email and we will help you identify & track the breach.

img-form.svg
xmark.svg

Compromised!

Our records shows leaked corporate credentials due to a data breach!


No worries, we are here to Help. Request a demo below using your business Email and we will help you identify & track the breach.

Our records shows that your email is compromised as part of a infostealer infection!


Infostealers are malicious programs that can steal sensitive information, including emails, passwords, credit-cards and other personal data, from infected devices.


We recommend to follow these steps asap:

  • Change your passwords immediately.

  • Enable two-factor authentication (2FA) wherever possible.

  • Review recent activity on your email for unusual logins or transactions.

  • Scan your Device for malware, using a reputable antivirus to remove any threats.

  • Ensure your operating system and software are updated to the latest versions.

  • Make sure that no cracked software is installed on your computer.

img-form.svg
xmark.svg

Not Found!

No exposed breaches related to your company, Yet!


Our comprehensive feeds are updated twice a day, which means every day is a possibility of capturing data related to your organization. We recommend to request a demo for detailed explanation of our services and how we can help you prevent data breaches in advance.

Good News - No Leaks!

Your email address has not been found in infostealer malware logs or compromised combo lists.

img-form.svg

Your information appears to be safe. Keep maintaining good security practices to protect your accounts!


Follow us:

xmark.svg

Searching in:

  • Infostealer Logs

  • Credential Stuffing Feeds

  • Combo-Lists (ULP)

  • Phishing Campaigns Logs

email
xmark.svg

Invitation only

We are based on invitation only. Please Request a Demo to be able to Signup/Login.

email
xmark.svg

Thank you for subscribing!

We will email you for any updates, blog posts, new research and what not!





test kareem 3

By Darkentry Team

Last updated Jul 02, 2026 - 16 Minutes Read

THREAT INTELLIGENCE BRIEFING

FortiBleed: When the Firewall Becomes the Front Door

A large-scale exposure of Fortinet/FortiGate credentials has put tens of thousands of perimeter devices at risk. Here is what happened, why it matters, and how security teams should respond.

Executive Summary

Security researchers have disclosed a sweeping credential-harvesting campaign, tracked under the name “FortiBleed,” that has compromised valid login credentials for tens of thousands of internet-facing Fortinet firewalls and SSL VPN portals worldwide. The exposed accounts span enterprises, financial institutions, and government bodies across nearly 200 countries. Because these are working credentials to perimeter security appliances, the exposure provides attackers with a clean, authenticated path into corporate networks that bypasses many traditional defenses. This briefing explains how the credentials were likely obtained, why firewall and VPN credential leaks are uniquely dangerous, how threat actors operationalize them, and the concrete steps organizations should take now.

 

What Is FortiBleed?

“FortiBleed” is the name assigned by threat intelligence analysts to a body of exposed credential data tied specifically to Fortinet perimeter devices, primarily FortiGate firewalls and their associated SSL VPN web portals. Reporting indicates the dataset references on the order of 70,000 or more distinct firewall login URLs, with affected hosts identified across 190+ countries.

It is important to frame this accurately. FortiBleed is not, at its core, a single zero-day exploit detonating across the internet. It is a credential-exposure event: a large collection of valid usernames and passwords mapped to the management and VPN login pages of Fortinet appliances. The danger lies not in a novel vulnerability but in the fact that the keys to the perimeter are already in circulation. For a defender, that distinction matters, because patching alone does not close an exposure built on legitimate credentials.

The affected hosts share a recognizable fingerprint: bare IP addresses or hostnames serving a login page over HTTPS, frequently on non-standard management ports. These are exactly the externally reachable interfaces that organizations expose to enable remote administration and remote-access VPN, and exactly the interfaces an attacker most wants to reach.

 

Scope and Impact of the Exposure

The breadth of the exposure is what elevates FortiBleed from a routine credential leak to a systemic concern. Several characteristics stand out:

•      Scale: Tens of thousands of unique firewall login endpoints are represented, indicating the harvesting was broad and opportunistic rather than narrowly targeted.

•      Global distribution: Affected devices appear across nearly every region, including high-value organizations in finance, energy, telecommunications, and government services.

•      Sector sensitivity: Many of the impacted entities operate critical infrastructure or hold regulated data, raising the stakes of any successful intrusion well beyond a single compromised host.

•      Persistent exposure: A significant proportion of affected devices remained internet-accessible after the credentials were harvested, meaning the window for abuse stayed open long after the initial compromise.

In practical terms, every entry in a dataset like this represents a potential pre-authenticated foothold. An attacker does not need to develop an exploit or evade a vulnerability scanner; they need only to log in. That economy of effort is precisely what makes valid-account exposure so attractive to intrusion operators and initial access brokers alike.

How Attackers Likely Harvested the Credentials

No single mechanism explains an exposure of this size. Based on the patterns researchers have described and on well-established tradecraft, the credentials were almost certainly aggregated from several overlapping sources:

Information-stealer malware

The dominant source of large modern credential datasets is infostealer malware. When a stealer infects an employee, contractor, or administrator workstation, it harvests credentials saved in browsers, VPN clients, and password stores, and critically, it records the URL each credential was saved against. When an administrator has saved a FortiGate login in their browser, the resulting stealer log contains the firewall’s address, the username, and the password as a neatly packaged triple. Aggregated across many infections, these logs produce exactly the kind of URL-to-credential mapping observed in FortiBleed.

Historical vulnerability exploitation

Fortinet appliances have been the subject of multiple high-impact vulnerabilities over the past several years, including flaws that allowed credential or configuration disclosure. Credentials extracted during earlier exploitation waves can persist in attacker hands for years, especially where passwords were never rotated after patching. Some entries in a dataset of this kind may trace back to those earlier campaigns.

 

 

 

Configuration and secret exposure

Leaked or misconfigured device backups, exposed configuration files, and reused administrative passwords all contribute to the pool. Once a configuration file leaks, it can reveal not only credentials but also netwo

Ready to get started? we're here to help! Request a demo below: