FortiBleed Credential Leak: What SMBs Using Fortinet Need to Do Right Now

If your business uses a Fortinet FortiGate firewall, assume your VPN and admin credentials are compromised until you can prove otherwise. On June 18, 2026, CISA issued an advisory urging immediate credential rotation after security researchers confirmed a massive leak affecting roughly 74,000 FortiGate devices across 194 countries. The leaked credentials are real, and attackers already have them.

This is not a theoretical risk. The passwords have been cracked, published, and verified as authentic. If you haven’t rotated your Fortinet passwords since this advisory dropped, someone else may already have access to your network.

What FortiBleed Is and Why It Matters

FortiBleed is the name researchers gave to a credential harvesting and cracking operation that targeted Fortinet FortiGate firewalls at industrial scale. According to BleepingComputer’s coverage, a Russian-speaking threat group conducted approximately 1.16 billion credential attempts against more than 320,000 internet-facing FortiGate devices. They then used a 45-GPU cluster to crack the SSL VPN authentication hashes they collected.

The result: working usernames and passwords for VPN and administrative access on approximately 74,000 Fortinet firewalls. That’s close to half of all internet-facing FortiGate devices worldwide. Arctic Wolf’s analysis confirmed the leaked credentials are authentic and span organizations from Fortune 500 companies down to small businesses with a single firewall.

Fortinet is one of the most widely deployed firewalls in SMB environments, which makes this directly relevant to businesses in the 50 to 500 employee range. If your IT provider set up a FortiGate for your office, this affects you.

The Root Cause: Weak Password Hashing

The reason the attackers could crack so many passwords so quickly comes down to how older versions of FortiOS stored admin credentials. Versions before 7.2.11, 7.4.8, and 7.6.1 hashed administrative passwords using SHA-256, a fast general-purpose hashing algorithm that was never designed for password storage. Modern password storage uses algorithms like PBKDF2 that are deliberately slow, making brute-force cracking computationally expensive.

SHA-256 hashes can be cracked at billions of attempts per second on modern GPUs. PBKDF2 with proper configuration reduces that speed by several orders of magnitude. The difference between the two is the difference between cracking a password in minutes versus years.

Here is the critical detail that catches organizations off guard: upgrading FortiOS alone does not fix passwords that were already stored as SHA-256. Each administrator must log in after the firmware upgrade for their password hash to be re-stored using PBKDF2. Until that happens, the old weak hash remains in place. If you upgraded your firmware but didn’t force a password rotation, your credentials may still be stored in the crackable format.

What CISA Is Telling Organizations to Do

CISA’s June 18 advisory is direct: rotate all credentials, enable multi-factor authentication, and upgrade firmware. The advisory specifically calls out that the leaked credentials are confirmed valid and that affected organizations should treat this as an active compromise until they can verify otherwise.

SOCRadar’s threat intelligence and Help Net Security’s reporting both emphasize that this is not a targeted attack against specific industries or geographies. It’s a dragnet. The threat group harvested credentials from every FortiGate they could reach, regardless of who owned it. Small businesses with a single office firewall are in the same leaked dataset as multinational corporations.

Your Action Checklist

If your organization uses Fortinet equipment, work through this list with your IT provider this week. Not next month, not at your next quarterly review. This week.

1. Rotate all VPN and admin passwords immediately. Every account that authenticates against a FortiGate device needs a new password. That includes SSL VPN user accounts, local admin accounts, and any service accounts configured on the firewall. Use strong, unique passwords for each account. If you’re reusing passwords across systems, those other systems are now compromised too. We covered why credential reuse is one of the fastest paths to ransomware earlier this year.

2. Enable multi-factor authentication on all Fortinet management and VPN interfaces. MFA should have been enabled already, but if it wasn’t, this is non-negotiable going forward. A leaked password with MFA in place is significantly less useful to an attacker than a leaked password without it. Enable MFA on the admin console, SSL VPN portal, and any remote access interface. If your current Fortinet configuration doesn’t support your preferred MFA method, your IT provider can help identify options. Our guide on defending against MFA bypass attacks covers why MFA implementation details matter.

3. Upgrade FortiOS to a patched version. The minimum safe versions are 7.2.11, 7.4.8, or 7.6.1. These versions store passwords using PBKDF2 instead of SHA-256. Remember: upgrading the firmware is necessary but not sufficient. Every admin account must log in after the upgrade to trigger the password rehashing. If you have service accounts or rarely used admin accounts, those need attention too.

4. Review your firewall and VPN gateway logs. Look for login attempts from unfamiliar IP addresses, successful authentications at unusual times, and any configuration changes you didn’t authorize. If your organization doesn’t have centralized log monitoring, ask your IT provider whether they’re reviewing these logs on your behalf. Our SOC team monitors these log sources continuously for exactly this kind of activity.

5. Check whether your domain appears in the leak. Hudson Rock has published a lookup tool that lets organizations check whether their domain appears in the FortiBleed dataset. Run your domain through it. If you show up, treat it as confirmation that your credentials were exposed and prioritize the steps above.

6. Audit who has VPN access. While you’re rotating credentials, review who actually needs VPN access. Former employees, contractors whose projects ended, and test accounts that were never removed are all common findings. Every unnecessary account is an unnecessary attack surface.

The Broader Lesson for VPN Security

FortiBleed highlights a pattern that keeps repeating. VPN appliances remain the number one initial access vector for ransomware groups targeting SMBs, according to the 2026 Verizon DBIR. Attackers don’t need sophisticated zero-day exploits when they can harvest credentials from devices that store passwords using weak hashing, lack MFA, and run outdated firmware.

The businesses that weather incidents like FortiBleed without disruption share a few common traits. They keep firmware current through automated patch management. They enforce MFA everywhere, not just on a few high-profile accounts. They monitor VPN and firewall logs through a managed security provider that can detect anomalies in real time. They conduct regular access reviews to remove stale accounts.

None of these measures are complicated or expensive relative to the cost of a breach. They’re basic security hygiene that too many organizations skip until an incident like FortiBleed forces the conversation. If your IT provider isn’t already doing these things for your Fortinet environment, that’s a question worth asking today.

What to Tell Your IT Provider

Call your IT provider and ask them three questions: Have you rotated our Fortinet credentials since the June 18 CISA advisory? Is MFA enabled on every VPN and management interface? What FortiOS version are we running? If they can’t answer all three immediately, you need to escalate.

If you don’t have an IT provider handling this for you, or if you’re unsure whether your current provider has taken action, reach out. We’ve been working through FortiBleed response with our managed IT clients since the advisory dropped, and our vulnerability assessment process covers exactly this kind of exposure.