Since February 2026, a Russian-speaking initial access broker has orchestrated one of the year's largest firewall compromise campaigns, dubbed FortiBleed. The operation targets FortiGate appliances across 110 million harvested credentials, exploiting the critical role firewalls play in network perimeter defence. For hosting operators and infrastructure teams, this incident underscores a hard truth: perimeter defences are only as strong as their credential hygiene and patch discipline.
The Mechanics of FortiBleed
The attacker's methodology follows a well-worn path. Initial reconnaissance involves credential collection—likely from previous breaches, credential markets, or public leaks. Rather than targeting zero-day vulnerabilities, FortiBleed relies on brute-force attacks against exposed management interfaces and the deployment of custom tooling once access is gained.
Over 430,000 FortiGate instances have been scanned or compromised in the campaign. This scale suggests the attacker has automated reconnaissance, identifying exposed administrative dashboards across the internet using port scanning and service fingerprinting. Once access credentials are obtained—either through brute force or from existing dumps—the attacker establishes persistence and moves laterally into the network behind the firewall.
What makes this campaign financially motivated is important. The attacker is not interested in a specific vertical or geopolitical objective. Instead, the goal is initial access itself: compromised firewalls become entry points sold to ransomware-as-a-service operations, data exfiltration groups, and other downstream threat actors. In many cases, your firewall becomes a vehicle for someone else's attack.
Why Firewalls Are Prime Targets
Firewalls occupy a unique position in infrastructure topology. They sit at the boundary between your network and the internet, controlling all inbound and outbound traffic. An attacker with firewall access can intercept traffic, disable security controls, whitelist malicious connections, or simply harvest credentials and session tokens passing through the box.
Many organisations treat firewalls as set-and-forget appliances. Credentials are left at vendor defaults, management interfaces are exposed to the internet for remote administration, and firmware updates are deferred because the appliance "just works". From an attacker's perspective, this is an ideal target: low effort, high reward, and minimal risk of detection during initial compromise.
For infrastructure operators running dedicated servers or managed hosting environments, a compromised customer firewall—or worse, a shared appliance in your datacentre—becomes your liability. An attacker reaching one customer's backend can pivot to other systems on the same network segment or use the firewall to sniff traffic intended for other customers.
What You Should Do Now
If you operate FortiGate appliances, treat this campaign as a prompt for immediate triage. Begin with credential rotation. Change all administrative passwords and service account credentials on your firewalls, particularly those used for API access, syslog, and SNMP. If you suspect any FortiGate has been exposed to the internet without authentication, change credentials immediately.
Secondly, audit your firewall's management interface exposure. The appliance should never accept administrative connections from the public internet. Use VPN, bastion hosts, or management VLANs instead. If remote access is necessary, implement multi-factor authentication at minimum.
Firmware currency matters. FortiGate receives regular security updates; firewalls more than 18 months behind the current release are at elevated risk. Patch your fleet on a regular schedule—quarterly at minimum for critical infrastructure.
Finally, enable logging and alerting on your firewall's administrative access. Watch for unusual configuration changes, disabled logging, new administrator accounts, or mass rule modifications. These patterns signal post-compromise activity.
The FortiBleed campaign is not exceptional in technique; it is exceptional only in scale and persistence. Credential harvesting and brute force have worked against firewalls for years because many operators assume the appliance itself is too difficult to reach. That assumption has proven costly. Your firewall's security posture directly impacts everything behind it.
