A sprawling password-spraying and credential-theft campaign that researchers are calling FortiBleed is pounding internet-facing Fortinet firewalls, scooping up valid corporate logins and feeding them straight into the criminal resale market. Security teams at Palo Alto Networks' Unit 42 say the same operation is also hitting Sophos appliances and Microsoft SQL servers exposed to the internet, making this a broad assault on the network edge rather than a single-vendor problem.
What is happening
The attackers are running internet-wide scanning and "password spraying," a technique where they try a small set of common or previously stolen passwords against huge numbers of accounts at once, staying under the radar of lockout defenses that would trip on rapid repeated guesses against one account. Unit 42 assesses the password list was likely assembled from earlier breaches, including credentials pulled from previously exploited vulnerabilities, an approach that compounds the damage every time another set of logins leaks. (For a sense of scale, researchers recently catalogued 24 billion stolen credentials in a single exposed database.)
Why it matters
SOCRadar, which first reported the targeting of FortiGate devices, describes tens of thousands of corporate firewalls being quietly compromised. An initial access broker on the Russian-language forum Exploit[.]in claimed responsibility for the campaign on June 16, 2026, referenced an unspecified CVE, and put the harvested credentials up for sale. Unit 42 says it has not validated the broker's claims. Edge devices like firewalls and VPN gateways sit at the front door of corporate networks, so a single valid login can hand an attacker a foothold that is hard to spot, mirroring the wave of recent attacks on appliances such as Palo Alto GlobalProtect VPNs and Check Point gateways.
How the attack works
Unit 42 describes a multi-stage process. First, mass password spraying against exposed Fortinet, Sophos, and MSSQL services to gain an initial foothold. Second, configuration extraction: depending on the access gained, the actor may exploit a privilege-escalation flaw before pulling device configuration files, which often contain stored credentials. Third, offline cracking of those stolen secrets, which then get added back into the spraying list to attack new devices and to log back into compromised ones as an administrator for persistence. It is a self-feeding loop, where every cracked password makes the next round more effective.
What you should do
There is no single patch here because the core problem is exposed services and weak or reused credentials. Unit 42 and Fortinet recommend defenders require multi-factor authentication on all remote and management services, keep management interfaces off the public internet using jump boxes and Zero Trust Network Access, change default account credentials to long and unique passwords, disable unused accounts, and apply the latest firmware to close known privilege-escalation bugs. Crucially, audit remote-access logs for successful logins that arrive shortly after a burst of failed attempts, the tell-tale signature of a spray that finally landed.
The original targeting was first surfaced by SOCRadar, with Unit 42's Andy Piazza publishing corroborating telemetry and the dark-web sale detail. Fortinet has published its own analysis of the reported credential compromise.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.