June 26, 2026

Fortinet’s PSIRT team has confirmed an active campaign — nicknamed FortiBleed — where threat actors are harvesting credentials from FortiGate firewalls. This is not a new vulnerability. Attackers are recycling credentials from two earlier incidents (FG-IR-26-060, FG-IR-25-647) and combining them with brute-force attacks against devices that have weak passwords and no MFA enabled. If your FortiGate is internet-facing, read this now.

What Is FortiBleed?

The name “FortiBleed” refers to a credential-harvesting campaign first reported in June 2026. Threat actors are targeting FortiGate firewalls by reusing previously exposed credentials combined with automated brute-force techniques — exploiting organizations that haven’t rotated passwords after past incidents or enforced MFA on admin and VPN accounts.

Fortinet has contacted potentially impacted customers directly and is continuing its investigation in collaboration with relevant government agencies. If you haven’t heard from Fortinet, don’t assume you’re clear — proactive hardening is the right move regardless.

6 Actions to Take Immediately

Fortinet’s official advisory lays out a clear priority order. Here’s what to do right now:

Terminate all active admin and VPN sessions — then reset every password.
Kill active sessions first, then reset all Fortinet VPN and administrator credentials — especially on internet-facing systems. Enforce a strong password policy going forward.
Enable MFA on every admin and VPN account.
Multi-factor authentication is the single highest-impact control here. If your FortiGate isn’t enforcing MFA today, that’s the gap attackers are walking through.
Upgrade to FortiOS 7.4, 7.6, or 8.0.
These versions support PBKDF2 hashing for administrator credentials — a significantly stronger hash than older versions use. After upgrading, follow Fortinet’s guidance to remove legacy password settings via set login-lockout-upon-weaker-encryption.
Validate your current configuration.
Review all firewall and VPN users for unauthorized changes. Compare against a known-good configuration backup if you have one. Pay special attention to newly added accounts — Fortinet has seen rogue account names like forticloud, fortiuser, fortinet-support, fortinet-tech-support and similar.
Check your logs for indicators of compromise.
Look for unexpected administrator logins from unknown IPs, unusual lateral movement in domain controller logs, suspicious account creations, or unauthorized configuration changes.
Lock down management access.
Restrict external management via trusted hosts (good), a local-in policy (better), or disable internet administration entirely (best). Reducing your attack surface here eliminates the avenue entirely.

If you find evidence of compromise: Treat the device as compromised. Follow Fortinet’s recovery guide. Check for VPN user creation, unexpected password resets, and lateral movement into your internal network. If AD/LDAP is integrated, treat that account as compromised too and monitor your AD for unauthorized activity.

Is This the Right Time to Upgrade Your FortiGate?

If your team is running older FortiGate hardware — particularly models approaching end-of-support — this incident is a strong signal that it’s time to move to current-generation gear with up-to-date FortiOS. Models like the FortiGate 60F, FortiGate 70G, FortiGate 100F, and FortiGate 120G all run FortiOS 7.4+ natively, support PBKDF2 credential hashing, and are eligible for full FortiGuard security services. Running a supported, current platform is one of the best structural defenses you have.

Not sure which model fits your environment? Request a quote from DataCenter360.ca — as a Fortinet Select Partner, we can help you pick the right appliance and get it shipped fast.

Running an older FortiGate? Now is the time to upgrade to a supported platform with PBKDF2 password hashing and full FortiGuard coverage.

Get a Quote →

What DataCenter360.ca Recommends

Beyond Fortinet’s immediate checklist, here’s our practical take for Canadian SMBs running FortiGate:

Don’t wait for Fortinet’s outreach. If you’re on an internet-facing FortiGate, assume you could be impacted and act now. Rotating credentials and enabling MFA costs you an hour; a compromise costs you much more.
Check firmware. FortiOS 7.4.x and 7.6.x are the current recommended branches. If you’re on 7.2 or older, upgrade — especially given the PBKDF2 requirement.
Use Trusted Hosts. Every admin account in FortiOS can be restricted to specific source IPs. Use it. This alone blocks the majority of brute-force attacks cold.
Review your FortiCare coverage. Active support gives you access to Fortinet’s incident response resources. If your FortiCare has lapsed, renew it now.

We’ll update this post if Fortinet releases additional guidance. Bookmark the FortiGuard PSIRT portal for the latest advisories.

Frequently Asked Questions

Is FortiBleed a new FortiGate vulnerability (CVE)?

No. Fortinet has confirmed this is not a new vulnerability. The campaign exploits weak passwords and the absence of MFA — not a software flaw. Attackers are reusing credentials from previous incidents (FG-IR-26-060 and FG-IR-25-647) and augmenting them with brute-force techniques. Patching alone won’t protect you; credential hygiene and MFA are the required controls.

How do I know if my FortiGate was compromised?

Check your FortiGate event logs for unexpected admin logins from unknown IPs. Look for newly created accounts (especially with names like forticloud, fortiuser, fortinet-support). Review VPN user lists for additions you don’t recognize. Also check domain controller logs for unusual authentication or lateral movement. Fortinet has published a recovery guide if you find signs of compromise.

Which FortiOS versions are protected against FortiBleed?

FortiOS 7.4, 7.6, and 8.0 support PBKDF2 hashing for administrator credentials, which is significantly stronger than the hashing used in older versions. After upgrading, you must also run set login-lockout-upon-weaker-encryption to clear legacy password settings. All current-generation FortiGate hardware — including the 60F, 70G, and 120G — supports these firmware branches.

Can DataCenter360.ca help us respond or upgrade?

Yes. As a Fortinet Select Partner and MSSP, DataCenter360.ca can help you identify the right current-generation FortiGate for your environment, source it quickly, and advise on FortiCare licensing. Request a quote or visit our FortiGate product page to see what’s in stock.