Reported widespread credential exposure affecting Fortinet Firewalls and VPN Gateways

Prepared by: Brandon Sawyer, Vulnerability Analyst | Published: Mon 23 June 2026

Summary 

On 19 June 2026, Fortinet disclosed a widespread campaign is actively targeting Fortinet firewalls and SSL‑VPN gateways, leveraging exposed or previously compromised credentials to gain unauthorized access to devices and associated networks.  Current analysis indicates this is not a new vulnerability, but rather a large scale credential harvesting and reuse campaign exploiting poor credential hygiene and exposed management interfaces. This activity has been referred to as “FortiBleed”, Fortinet believes the activity involves threat actors reusing credentials from previous incidents (FG-IR-26-060, FG-IR-25-647), and employing brute force techniques against devices with weak passwords and no multi-factor authentication (MFA).         

On 22 June 2026, the Australian Cyber Security Centre (ACSC) issued similar guidance and has urged all Australian businesses that use affected Fortinet devices to act immediately and follow mitigation and detection advise detailed below.  

Impact

Mitigation actions

Organisations are recommended to proactively follow this approach to limit their potential risk or exposure.

Detection capabilities

MDR customers: Triskele Labs will continue tuning detections for behaviours consistent with the exploitation of Fortinet Firewalls and VPN Gateways across supported log sources.

References

• https://www.fortinet.com/blog/psirt-blogs/analysis-of-reported-credential-compromise-of-fortigate-devices
• https://www.cyber.gov.au/about-us/view-all-content/Reported-widespread-credential-exposure-affecting-Fortinet-Firewalls-and-VPN-Gateways
• https://docs.fortinet.com/document/fortigate/7.6.0/best-practices/587898/getting-started
• https://www.fortiguard.com/psirt/FG-IR-26-060
• https://www.fortiguard.com/psirt/FG-IR-25-647