xmark.svg
email

Demander une démo gratuite

Prêt à commencer? Nous sommes là pour vous aider. Remplissez vos informations d'entreprise et nous vous contacterons dès que possible.

img-form.svg
xmark.svg
email

Contacter le Partenaire

Prêt à commencer? Nous sommes là pour vous aider. Remplissez vos informations d'entreprise et nous vous contacterons dès que possible.

img-form.svg
email

L'email a été envoyé

We've sent you an email to the required partner.

xmark.svg

Compromis!

Nos enregistrements montrent que des informations d'identification ont été divulguées en raison d'une violation de données.


Ne vous inquiétez pas, nous sommes là pour vous aider. Demandez une démo ci-dessous et nous vous aiderons à identifier et à suivre la violation.

img-form.svg
xmark.svg

Compromis!

Nos enregistrements montrent que des informations d'identification ont été divulguées en raison d'une violation de données.


Ne vous inquiétez pas, nous sommes là pour vous aider. Demandez une démo ci-dessous et nous vous aiderons à identifier et à suivre la violation.

Nos enregistrements montrent que votre adresse e-mail a été compromise dans le cadre d'une infection par un voleur d'informations !


Les voleurs d'informations sont des programmes malveillants qui peuvent voler des informations sensibles, y compris des e-mails, des mots de passe, des cartes de crédit et d'autres données personnelles, à partir d'appareils infectés.


Nous recommandons de suivre ces étapes dès que possible :

  • Changez vos mots de passe immédiatement.

  • Activez l'authentification à deux facteurs (2FA) partout où cela est possible.

  • Examinez les activités récentes de votre e-mail pour détecter des connexions ou transactions inhabituelles.

  • Analysez votre appareil pour détecter les logiciels malveillants, en utilisant un antivirus réputé pour éliminer toute menace.

  • Assurez-vous que votre système d'exploitation et vos logiciels sont à jour.

  • Assurez-vous qu'aucun logiciel piraté n'est installé sur votre ordinateur.

img-form.svg
xmark.svg

Non Trouvé!

Aucune violation exposée liée à votre entreprise, pour l'instant!


Our comprehensive feeds are updated twice a day, which means every day is a possibility of capturing data related to your organization. We recommend to request a demo for detailed explanation of our services and how we can help you prevent data breaches in advance.

Bonne nouvelle - Pas de fuites!

Votre adresse e-mail n'a pas été trouvée dans les journaux de logiciels malveillants voleurs d'informations ou dans les listes combinées compromises.

img-form.svg

Vos informations semblent être en sécurité. Continuez à adopter de bonnes pratiques de sécurité pour protéger vos comptes!


Suivez-nous:

xmark.svg

Recherche dans:

  • Journaux de voleurs d'informations

  • Flux de stuffing d'identifiants

  • Listes combinées (ULP)

  • Journaux des campagnes de phishing

email
xmark.svg

Sur Invitation Seulement

Nous fonctionnons uniquement sur invitation. Veuillez demander une démo pour pouvoir vous inscrire/vous connecter.

email
xmark.svg

Merci pour votre abonnement!

Nous vous enverrons un email pour toutes les mises à jour, les articles de blog, les nouvelles recherches et autres!





test kareem 3

Par Darkentry Team

Dernière mise à jour Jul 02, 2026 - 16 Minutes de lecture

THREAT INTELLIGENCE BRIEFING

FortiBleed: When the Firewall Becomes the Front Door

A large-scale exposure of Fortinet/FortiGate credentials has put tens of thousands of perimeter devices at risk. Here is what happened, why it matters, and how security teams should respond.

Executive Summary

Security researchers have disclosed a sweeping credential-harvesting campaign, tracked under the name “FortiBleed,” that has compromised valid login credentials for tens of thousands of internet-facing Fortinet firewalls and SSL VPN portals worldwide. The exposed accounts span enterprises, financial institutions, and government bodies across nearly 200 countries. Because these are working credentials to perimeter security appliances, the exposure provides attackers with a clean, authenticated path into corporate networks that bypasses many traditional defenses. This briefing explains how the credentials were likely obtained, why firewall and VPN credential leaks are uniquely dangerous, how threat actors operationalize them, and the concrete steps organizations should take now.

 

What Is FortiBleed?

“FortiBleed” is the name assigned by threat intelligence analysts to a body of exposed credential data tied specifically to Fortinet perimeter devices, primarily FortiGate firewalls and their associated SSL VPN web portals. Reporting indicates the dataset references on the order of 70,000 or more distinct firewall login URLs, with affected hosts identified across 190+ countries.

It is important to frame this accurately. FortiBleed is not, at its core, a single zero-day exploit detonating across the internet. It is a credential-exposure event: a large collection of valid usernames and passwords mapped to the management and VPN login pages of Fortinet appliances. The danger lies not in a novel vulnerability but in the fact that the keys to the perimeter are already in circulation. For a defender, that distinction matters, because patching alone does not close an exposure built on legitimate credentials.

The affected hosts share a recognizable fingerprint: bare IP addresses or hostnames serving a login page over HTTPS, frequently on non-standard management ports. These are exactly the externally reachable interfaces that organizations expose to enable remote administration and remote-access VPN, and exactly the interfaces an attacker most wants to reach.

 

Scope and Impact of the Exposure

The breadth of the exposure is what elevates FortiBleed from a routine credential leak to a systemic concern. Several characteristics stand out:

•      Scale: Tens of thousands of unique firewall login endpoints are represented, indicating the harvesting was broad and opportunistic rather than narrowly targeted.

•      Global distribution: Affected devices appear across nearly every region, including high-value organizations in finance, energy, telecommunications, and government services.

•      Sector sensitivity: Many of the impacted entities operate critical infrastructure or hold regulated data, raising the stakes of any successful intrusion well beyond a single compromised host.

•      Persistent exposure: A significant proportion of affected devices remained internet-accessible after the credentials were harvested, meaning the window for abuse stayed open long after the initial compromise.

In practical terms, every entry in a dataset like this represents a potential pre-authenticated foothold. An attacker does not need to develop an exploit or evade a vulnerability scanner; they need only to log in. That economy of effort is precisely what makes valid-account exposure so attractive to intrusion operators and initial access brokers alike.

How Attackers Likely Harvested the Credentials

No single mechanism explains an exposure of this size. Based on the patterns researchers have described and on well-established tradecraft, the credentials were almost certainly aggregated from several overlapping sources:

Information-stealer malware

The dominant source of large modern credential datasets is infostealer malware. When a stealer infects an employee, contractor, or administrator workstation, it harvests credentials saved in browsers, VPN clients, and password stores, and critically, it records the URL each credential was saved against. When an administrator has saved a FortiGate login in their browser, the resulting stealer log contains the firewall’s address, the username, and the password as a neatly packaged triple. Aggregated across many infections, these logs produce exactly the kind of URL-to-credential mapping observed in FortiBleed.

Historical vulnerability exploitation

Fortinet appliances have been the subject of multiple high-impact vulnerabilities over the past several years, including flaws that allowed credential or configuration disclosure. Credentials extracted during earlier exploitation waves can persist in attacker hands for years, especially where passwords were never rotated after patching. Some entries in a dataset of this kind may trace back to those earlier campaigns.

 

 

 

Configuration and secret exposure

Leaked or misconfigured device backups, exposed configuration files, and reused administrative passwords all contribute to the pool. Once a configuration file leaks, it can reveal not only credentials but also netwo

Prêt à commencer? Nous sommes là pour vous aider! Demandez une démo ci-dessous: