For years the mental model was simple: the firewall protects the network. In 2026 the model needs an update, because the firewall — and every other internet-facing appliance — is increasingly the thing being attacked.
The clearest example yet is FortiBleed, a large-scale credential-harvesting campaign uncovered in June 2026. According to research by SOCRadar and warnings from CISA, the operators targeted roughly 430,000 FortiGate firewalls worldwide and gathered more than 110 million credentials. The campaign only came to light because of an attacker mistake: a server full of stolen credentials was left exposed on the internet.
How the operation worked
The playbook was methodical rather than sophisticated:
- Mass scanning of internet-exposed Fortinet devices — SOCRadar tracked scanning against about 11,250 FortiGate portals in more than 150 countries.
- Credential-based break-ins using known username and password combinations — no zero-day required for the initial wave.
- Custom packet sniffers (written in Go) deployed on roughly 12,000 compromised devices to passively capture more credentials and authentication data flowing through the network.
The results speak for themselves: confirmed admin-level access on 409 targets, the full attack chain completed on 354 of them, and at least 12 ransomware deployments that encrypted hundreds of endpoints.
From stolen passwords to ransomware
The most important update came in early July: SOCRadar found an operator tied to FortiBleed's infrastructure actively working the negotiation panels of the INC and Lynx ransomware operations. In other words, this was not credential collection for its own sake — it was an initial access broker feeding verified access directly into ransomware deployments.
Internal documents suggest an organized operation of about 20 people with a clear division of labour, likely Russian-speaking, focused heavily on manufacturing, technology and logistics. That is what a modern cybercrime supply chain looks like: one team steals and verifies access, another monetizes it with encryption and extortion.
Why edge devices are the new crown jewels
Firewalls, VPN gateways and other edge appliances are attractive for three reasons. They are always exposed — that is their job. They are rich in credentials — every login to the VPN or admin portal passes through them. And they are poorly monitored — most organizations have EDR on laptops and servers, but little visibility into what runs on a network appliance.
FortiBleed is not an isolated case. The same weeks brought active exploitation of Citrix Bleed 2 by ransomware affiliates and a Cisco SD-WAN zero-day. The pattern is consistent: attackers go where the credentials are and where the defenders are not looking.
What to do this week
- Inventory your edge. Every internet-facing appliance — firewalls, VPN concentrators, load balancers — with owner, firmware version and exposure level.
- Patch and verify. Being one firmware version behind on an edge device is a materially different risk than being behind on a desktop app.
- Rotate credentials that transited the device. If a FortiGate (or any appliance) may have been compromised, assume every credential that passed through it is burned — including VPN users and admin accounts.
- Get management interfaces off the internet. Admin portals should be reachable only from a management network, with multi-factor authentication enforced.
- Watch the device itself. Unexpected processes, configuration changes or outbound connections from an appliance deserve the same alarm as malware on a server.
If you fall under NIS 2, remember that a compromised edge device that leads to a significant incident starts the 24-hour early-warning clock. Knowing your edge inventory in advance is what makes that deadline achievable.
Test it before someone else does
The uncomfortable truth of FortiBleed is that most victims were not beaten by a zero-day. They were beaten by exposed portals, reused credentials and missing MFA — exactly the things a routine infrastructure penetration test or a targeted vulnerability assessment is designed to catch.
If you are not sure what your organization currently exposes to the internet, that is the first question worth answering. We can help you answer it before someone else does.
This article is general information based on public reporting by SOCRadar, CISA and The Hacker News, not incident-response advice for a specific environment.
