general · BleepingComputer
Security researchers at SOCRadar report an ongoing campaign, dubbed "FortiBleed," targeting Fortinet FortiGate firewalls worldwide. According to the report, the campaign has compromised more than 430,000 FortiGate devices since at least February 2026. Attackers gained administrative access via credential stuffing and brute-force attacks, then deployed a custom Golang-based tool called "FortigateSniffer" to abuse FortiOS's built-in diagnostic sniffer functionality. This tool captures authentication traffic crossing compromised firewalls, monitoring 24 protocols including RADIUS, NTLM, Kerberos, LDAP, SMB, RDP, and database protocols. The captured data is processed into PCAP files and analyzed to extract cleartext credentials, password hashes, Kerberos tickets, and other authentication artifacts, which are then cracked using GPU-accelerated password-breaking utilities.
Defense contractors and other regulated entities relying on FortiGate for perimeter security should treat this as a critical access-control risk. If a FortiGate device falls under CMMC Level 2 or 3 scope (common for CUI handling), compromise of administrative credentials and subsequent lateral-movement via network sniffing represents a direct control failure. SaaS and healthcare organizations managing FortiGate appliances for SOC 2 or HIPAA compliance must verify that administrative access is sufficiently restricted (MFA, network segmentation) and that configuration backups are encrypted and access-controlled. Financial services firms subject to NYDFS or PCI DSS should audit FortiGate device inventories, patch status, and administrative authentication logs. An Omniware engagement can scope forensic discovery, access-control remediation, and incident response playbooks specific to your regulatory posture.
Source: BleepingComputer - https://www.bleepingcomputer.com/news/security/fortibleed-Source: BleepingComputerAll briefings
Source: BleepingComputer
All briefings