Q: What is the Fortibleed disclosure?
A: Fortibleed refers to a massive credential compromise campaign affecting Fortinet/Fortigate firewalls. Security researchers discovered an open directory exposed on the public internet containing compromised data that impacts roughly 50% of publicly exposed Fortigate devices.
Q: Who discovered this breach and when was it disclosed?
A: The exposed directory was originally discovered by security researcher Volodymyr “Bob” Diachenko. The analysis of this Fortigate brute-force activity was formally disclosed on June 16, 2026, by security organizations SOCRadar and HudsonRock.
Q: What specific data was exposed in this leak?
A: The exposed directory contained cleartext credentials, Kerberos hashes, and other indicators of compromise (IOCs) harvested from Fortigate environments.
Q: How many organizations are affected?
A: While the overall campaign is massive, Huntress has cross-referenced the listed IP addresses against their own data corpus and identified 845 partner organizations specifically impacted by this credential dump.
Q: Are the leaked credentials still valid and active?
A: Huntress has not tested the validity of the credentials to verify if they still work. Because there are no dates or timestamps associated with specific additions to the credential list, it is possible that some old or inactive credentials are present. However, all exposed credentials should be treated as a critical security risk.
Q: When did this attack occur / how long has this been going on?
A: We suspect May 19th to June 7th, based on particular artifacts associated with the adversaries’ data. However this is not a validated attack time window
Q: What is Huntress doing to address this?
A: Huntress has enacted a "rapid response" by dedicating significant security resources and specialists to this issue. They are actively auditing the contents of the leak and continuously analyzing the related threat activity to secure partner environments.
Q: I think I am affected. Is Huntress going to contact me?
A: Affected partners will be contacted once we have organized and sifted through the data for accuracy and validation purposes
Q: What immediate actions should affected organizations take?
A: If your organization is affected, Huntress strongly advises the following next steps:
- Targeted Credential Rotation: Immediately rotate passwords for all Fortigate administrators and SSLVPN users. Adversaries possess hashed credentials that can be cracked into plaintext to regain access.
- Broad Credential Rotation: Rotate credentials for all Active Directory users.
- Enable SIEM Monitoring: Ensure your FortiGate SSLVPN device is instrumented with Huntress SIEM to monitor and triage authentication activity. If you do not have a SIEM subscription, it is recommended to utilize the trial feature immediately, as exploitation activity is expected to increase.
Q: Why do we need to rotate passwords for all Active Directory users?
A: Once adversaries gained access to the Fortigate devices, they used packet sniffing to intercept network traffic. This allowed them to harvest NTLM and Kerberos hashes for users across the entire environment, meaning any Active Directory account could potentially be compromised.
Q: Why didn’t Huntress detect this
A: The initial compromise occurred outside of Huntress's standard visibility for three reasons:
Targeted Edge Devices: Attackers compromised FortiGate firewalls directly. Because Huntress agents monitor internal endpoints (workstations and servers), activity on perimeter firewalls remains invisible unless those devices are actively routing logs to a SIEM.
Silent Extraction: Once inside the firewall, attackers used packet sniffing to harvest credentials locally. This technique does not trigger the malware or behavioral alerts traditional security tools look for on the internal network.
External Discovery: The breach was not identified through a network alert. An independent researcher found the threat actor's stolen data stash exposed on the public internet, which Huntress is now using to proactively notify affected partners.
Q: I’ve been affected. Do I need to instigate/contact Incident Response and/or Cyber Insurer
A: At this time, the advised remediations (auditing for back-doors, broad credential rotation, and enabling SIEM monitoring) are adequate.
However, we advise organizations adhere to their incident response and cyber insurance policies chiefly when determining if a formal IR engagement is required for their specific environment.
Q: Huntress notified me I am potentially affected. How accurate is the notifications? / Is Huntress telling me I am actively compromised
A: The adversary data we analyzed contains a mix of current and stale IP associations. To avoid creating blind spots, we chose not to filter out older infrastructure footprints. We are notifying all matched partners out of an abundance of caution so you can review the provided guidance and validate your own environment.