Dear Customers and Partners,

We are reaching out to share a critical threat intelligence advisory regarding an active, global cyber operation called "FortiBleed."

Discovered and documented by cybersecurity researchers at SOCRadar, this campaign has successfully compromised over 86,644 Fortinet FortiGate firewall and SSL VPN gateway devices across 194 countries.

What is FortiBleed?

FortiBleed is a large-scale credential harvesting and network compromise operation. Threat actors (uncovered fingerprints heavily point toward Russian-speaking groups) have been systematically scanning internet-facing Fortinet infrastructure, utilizing automation and offline password-cracking techniques to exfiltrate valid corporate login credentials.

Worse yet, once a device is compromised, the attackers are utilizing it as a listening post to actively sniff SSL VPN traffic passing through, picking up any fresh credentials that flow past.

Are You at Risk?

Because Fortinet firewalls are widely trusted across nearly every industry, the exposure spans global enterprises, government sectors, telecoms, and healthcare networks alike. If your organization relies on Fortinet FortiGate or SSL VPN products, your perimeter could be vulnerable—especially if credentials haven't been forcefully rotated following prior historical breaches.

Immediate Actions to Take

We strongly recommend that your security and infrastructure teams immediately take the following steps:

  1. Check Your Exposure: Check whether your organization's IP addresses or domains appear in the leaked dataset using SOCRadar’s free lookup utility: FortiBleed Free Checker Tool.

  2. Rotate Credentials: Force a baseline password reset across all administrative and user accounts associated with your Fortinet devices and VPN services.

  3. Audit VPN Sessions: Review access logs for any anomalous connection times, geographic anomalies, or unfamiliar active user sessions.

  4. Review the Technical Analysis: For a deeper look into the threat actor’s exact mechanics and indicators of compromise (IoCs), you can read the Main SOCRadar Blog Post and download the comprehensive deep-dive FortiBleed Whitepaper Report.

We value the security of our ecosystem deeply. Please do not hesitate to contact our technical support or security teams if you need any assistance verifying your perimeter or reviewing these safety measures.

Stay safe,


Best Regards,

Tamer YALNIZ

Channel Alliances Manager, EMEA-CEE and DACH

tamer.yalniz@socradar.io
+90 (530) 265 18 72
www.socradar.io
HQ Office: 254 Chapman Rd, Ste 208 Newark, Delaware 19702 USA
EMEA Office: İçerenköy Mah. Umut Sok. Quick Tower No:10-12 Ataşehir/İstanbul/Türkiye

linkedintwitterlinkedin


--------------------------------------
Disclaimer:
The content of this email is confidential and intended for the recipient specified in message only. It is strictly forbidden to share any part of this message with any third party, without a written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future.