The U.S. Cybersecurity and Infrastructure Security Agency warned Fortinet customers of ongoing malicious activity targeting FortiGate appliances. The campaign, codenamed FortiBleed, appears to be the work of Russian-speaking threat actors exploiting vulnerabilities in firewalls.

As of June 19, 2026, attackers had compromised 86,644 devices across 194 countries. The scale suggested automated scanning and exploitation tools were scanning the internet for vulnerable instances.

Compromised devices gave attackers direct access to network traffic and lateral movement opportunities within corporate networks. The long dwell time on many systems meant attackers potentially harvested sensitive data before organizations detected the breach.

CISA urged organizations to review firewall logs for suspicious activity and apply Fortinet’s latest patches immediately. Many smaller organizations lacked security monitoring that would detect FortiBleed intrusions in real time.

Fortinet released updates and detection signatures but acknowledged that patching thousands of deployed appliances would take time. Organizations using default credentials or unpatched systems faced highest risk. Industry analysts predicted FortiBleed would drive security spending on next-generation firewalls.