A firewall that read its own traffic
The detail that separates FortiBleed from a routine advisory is where the credentials came from. A custom tool the researchers call FortigateSniffer abuses FortiOS own built-in packet diagnostic command, the same feature an administrator uses to troubleshoot, to passively intercept authentication traffic across roughly two dozen protocols. No fresh vulnerability is required. The appliance sold to guard the perimeter became the instrument that read the logins crossing it.
SOCRadar traced the operation into ransomware territory after finding a single operator logged into the negotiation panels of both INC Ransom and Lynx at the same time. CISA urged organizations to harden Fortinet devices on 18 June after the first credential-exposure reports, and Fortinet own product security team published an analysis of the compromise.
The numbers behind the campaign
Early reporting from Recorded Future and Help Net Security put the exposure near 74,000 FortiGate systems. Later analysis from SOCRadar widened the picture to 430,000 targeted devices, roughly half of all internet-facing Fortinet hardware, and 86,644 verified working credentials spanning 194 countries. Cross-referencing FortiBleed servers against a separate INC-linked open directory found the same victim organizations tracked in both datasets, the signature of a shared pipeline.
At least 12 confirmed ransomware deployments already trace directly to FortiBleed access, with hundreds of endpoints encrypted. INC Ransom has been active since July 2023 and has claimed more than 800 victims, which makes it one of the most prolific ransomware-as-a-service operations by confirmed count. The credential harvest is not a warning of what could happen; it is the front end of attacks that already have.
Patching is not the fix this time
Because the entry is a valid credential rather than an unpatched flaw, the usual reflex fails. A FortiGate on the latest firmware with an exposed VPN account is still an open door, and it stays open until that account is rotated. The required actions are credential rotation on every firewall and VPN account, multi-factor authentication enforced on remote access, and the diagnostic packet capture disabled or closely monitored where it is not needed.
The safe assumption for any device in the exposed set is that its credentials have leaked and it should be treated as compromised until proven otherwise. That reframes the work from a patch cycle into an identity cleanup, which is slower, less satisfying, and the only thing that actually shuts the door.
Under NIS2 the clock is yours
For European operators the regulatory edge is sharp. Under NIS2 an incident that reaches your network through a third-party edge device is your reportable event, with an early warning due within 24 hours and a fuller notification within 72. Financial firms carry the parallel obligations of DORA. The liability does not sit with Fortinet or with the ransomware crew; it sits with the organization that was breached.
The KPI that matters now is not whether the firewall is patched but how fast every credential on it can be rotated. Teams that already assume their edge logins have leaked, and can prove rotation and MFA on demand, are the ones that will not read their own name in the next ransomware post.
Read next: A Forged Token Opens Every PC The Tool Manages | An AI Just Ran a Whole Ransomware Attack Alone



