The U.S. Cybersecurity and Infrastructure Security Agency issued an urgent advisory on June 18 warning that 86,644 Fortinet firewall and VPN devices have been compromised in an ongoing campaign security researchers have named FortiBleed. The operation is attributed to Russian-speaking threat actors who ran approximately 1.16 billion credential attempts against more than 320,000 FortiGate targets to steal SSL VPN authentication data.

The compromised devices span 73,932 unique firewall URLs across 194 countries. Targets include government agencies, financial institutions, healthcare organisations, and private businesses. Generic administrative accounts and built-in Fortinet system accounts make up the majority of the stolen credentials. The breadth of the campaign places it among the larger credential theft operations documented against network security infrastructure in recent years.

CISA’s advisory outlined immediate steps for Fortinet customers: terminate all active SSL VPN and administrative sessions, reset all VPN and administrative passwords — particularly on internet-facing systems — and enforce strong password policies going forward. The agency also recommended organisations audit their FortiGate device logs for signs of unauthorised access that may have occurred before the June 18 advisory was published.

Fortinet has been a recurring target for both nation-state and criminal threat actors over the past several years. The company’s FortiGate products sit at the perimeter of many corporate and government networks, making credential access to them particularly valuable for attackers who want to move laterally into internal systems or intercept encrypted traffic. The FortiBleed method exploited SSL VPN session management in a way that caused authentication hashes to leak in certain configurations.

Fortinet has issued patches for related vulnerabilities in previous advisories, but the 86,644 figure suggests a large proportion of affected organisations had not applied available fixes before this campaign ran. Security researchers at Bleeping Computer and The Hacker News reported that the stolen credential database was distributed through dark web forums before CISA’s advisory was published, meaning some affected organisations may already be dealing with active intrusions from secondary actors who purchased the data.

The FortiBleed campaign is not the first large-scale exploitation of Fortinet devices. A similar incident in 2024 exposed tens of thousands of device credentials and prompted an earlier round of CISA guidance. Organisations that acted on that guidance and patched consistently appear to have had lower exposure in this campaign.

The full CISA advisory is on the CISA official website. More on cybersecurity incidents and enterprise network security in 2026 is in our tech section. Our coverage of state-sponsored cyber operations provides broader context for campaigns like FortiBleed. The Fortinet vulnerability history and previous CISA guidance are in our security archives.