Rewterz

A VBScript Campaign Spread via WhatsApp Installing RMM Software – Active IOCs

June 23, 2026
Rewterz

Cisco Unified CM and SME Flaw Enables SSRF Attacks

June 24, 2026

Active FortiBleed Campaign Targets FortiGate Devices

Severity

High

Analysis Summary

Fortinet has warned of an active credential-harvesting campaign, dubbed “FortiBleed,” targeting internet-facing FortiGate firewalls and VPN appliances worldwide. Unlike a zero-day attack, the campaign leverages credentials exposed in previously disclosed security incidents and combines them with AI-assisted brute-force techniques to gain unauthorized access. Researchers estimate that up to 86,000 FortiGate devices across 194 countries could be exposed, making this one of the largest credential-based threats affecting Fortinet environments.

Fortinet’s investigation found that attackers are primarily exploiting weak, reused, or previously compromised administrator and VPN credentials, particularly on systems where multi-factor authentication (MFA) is not enabled. The company emphasized that organizations that fully implemented remediation measures from earlier advisories are unlikely to be affected. Fortinet has also begun directly notifying potentially impacted customers and coordinating response efforts with government agencies.

Following successful authentication, threat actors have been observed modifying device configurations, creating unauthorized administrative accounts, and establishing persistent access to targeted environments. Common rogue account names include variations such as “forticloud,” “fortiuser,” and “fortinet-support.” In environments integrated with Active Directory (AD) or LDAP services, attackers may further leverage compromised access to move laterally across internal networks, increasing the risk of broader organizational compromise.

To mitigate the threat, Fortinet and CISA are urging organizations to immediately reset all VPN and administrative credentials, terminate active sessions, enforce MFA for all privileged accounts, and upgrade to supported FortiOS versions that provide stronger password protection mechanisms. Security teams should also audit configurations for unauthorized changes, review logs for suspicious administrative activity, restrict internet-facing management access, and investigate any signs of unauthorized account creation or unexpected password resets. Organizations identifying such indicators should consider affected devices fully compromised and initiate incident response and recovery procedures without delay.

Impact

  • Sensitive Credential Theft
  • Gain Access

Remediation

  • Fortinet recommends following its published incident recovery guidance.
  • Immediately reset all FortiGate administrator and VPN user passwords, especially for internet-facing devices.
  • Terminate all active administrative and VPN sessions to invalidate potentially compromised credentials.
  • Enforce Multi-Factor Authentication (MFA) for all administrator and remote-access VPN accounts.
  • Upgrade FortiOS to the latest supported version (7.4, 7.6, or later) to benefit from enhanced password protection features.
  • Remove legacy password configurations and enable stronger password hashing mechanisms such as PBKDF2.
  • Audit FortiGate configurations against a known-good baseline and investigate any unauthorized changes.
  • Review user accounts and remove any suspicious or unauthorized accounts, particularly those impersonating Fortinet services or support personnel.
  • Monitor FortiGate logs for unusual login attempts, administrative access from unknown IP addresses, and suspicious configuration modifications.
  • Restrict administrative access to trusted IP addresses and disable internet-facing management interfaces whenever possible.
  • Implement strong password policies and prohibit password reuse across administrative and VPN accounts.

Reading this advisory was a good start.

Make it a habit.

Rewterz publishes threat advisories ahead of mainstream cybersecurity media, informed by an AI-Native Autonomous SOC that sees regional threat actor activity in real time. Subscribe to receive each new advisory as it publishes, plus a monthly Middle East threat landscape brief drawn from our own SOC telemetry. For teams evaluating their detection coverage, a 30-minute consultation with a senior analyst is also available, at your pace, when you're ready.