A large-scale cybercriminal operation has allegedly compromised tens of thousands of Fortinet firewalls and VPN devices used by major organizations around the world, according to findings published by two cybersecurity firms.
The campaign, which researchers have named FortiBleed, is still ongoing and appears to differ from many previous attacks targeting Fortinet infrastructure. Rather than exploiting a previously unknown software vulnerability, the attackers are reportedly taking advantage of a far more common security weakness: organizations failing to update default or reused passwords and relying on credentials that may have already been exposed in previous data breaches.
According to investigations conducted by cybersecurity companies Hudson Rock and SOCRadar, the attackers begin by using automated scanning tools to identify internet-facing Fortinet firewalls and VPN appliances. Once vulnerable targets are discovered, the threat actors attempt to gain access using databases of previously leaked or compromised credentials.
After successfully infiltrating a device, the attackers are able to monitor network traffic, capture sensitive information, and harvest additional login credentials that pass through the compromised systems. Those newly collected credentials are then added back into the attackers’ toolkit, allowing them to expand the campaign and compromise even more organizations.
“Once a device is compromised, they use it as a listening post, monitoring traffic passing through and collecting any additional credentials that flow by. Those freshly collected passwords are then fed back into the scanner to compromise even more devices. The system feeds itself,” SOCRadar explained in its report.
Hudson Rock stated that its researchers uncovered evidence suggesting that more than 73,000 unique Fortinet-related URLs may have been affected. SOCRadar provided a more conservative estimate, reporting that over 30,000 devices have been compromised. Despite the differing figures, both companies agree that the scale of the campaign is significant and affects organizations across multiple regions and industries.
According to Hudson Rock, several well-known global companies appear among the affected organizations, including Accenture, Comcast, Foxconn, Lenovo, Oracle, Samsung, Siemens, and PwC.
A spokesperson for Lenovo confirmed receiving TechCrunch’s request for comment but did not provide a response. The other companies identified in the report had not publicly commented at the time of publication.
Researchers from both Hudson Rock and SOCRadar reported that the largest concentrations of affected devices were located in India, the United States, Taiwan, and Mexico. However, evidence suggests that victims span numerous countries worldwide.
Industry analysis indicates that organizations operating in information technology services, telecommunications, and construction materials have been particularly impacted. Government agencies are also believed to be among the victims, according to SOCRadar’s findings.
Both cybersecurity firms noted that the threat actors responsible for the operation appear to be Russian-speaking, although no specific group has been publicly identified.
Fortinet did not respond to requests for comment regarding the allegations and findings presented in the reports.
The conclusions reached by Hudson Rock and SOCRadar are based on the discovery and analysis of a large dataset containing credentials linked to Fortinet devices and the organizations using them. The existence of the campaign was first brought to public attention over the weekend by security researcher Bob Diachenko.
Independent cybersecurity researcher Kevin Beaumont later reviewed the data and stated in a blog post published on Wednesday that he had analyzed the information and confirmed that it appeared to be authentic.
Fortinet products have been frequent targets of cyberattacks in recent years, with many previous campaigns relying on software vulnerabilities and unpatched security flaws to gain access. The FortiBleed campaign, however, demonstrates that attackers do not always require sophisticated exploits to achieve large-scale compromises.
Instead, researchers say the operation primarily relies on leaked credentials, weak password practices, and poor security hygiene — highlighting how basic cybersecurity failures can still expose thousands of organizations to serious threats even in the absence of newly discovered vulnerabilities.