Fortinet says the large-scale credential-harvesting campaign currently targeting its customers’ firewalls and VPNs does not exploit new vulnerabilities.
As part of the campaign, tracked as FortiBleed, threat actors have compiled a database of over 86,000 confirmed working credentials for Fortinet devices in 194 countries.
“Based on our initial analysis, we believe the activity involves threat actors reusing credentials from previous incidents and employing brute-force techniques against devices with weak password hygiene and no multi-factor authentication (MFA),” the company says.
The prior incidents Fortinet refers to involved the exploitation of three FortiCloud SSO login authentication bypass security defects: CVE-2026-24858, patched in January, and CVE-2025-59718 and CVE-2025-59719, addressed in December.
“Fortinet provided detailed guidance at the time of these advisories, and we continue to strongly encourage all customers to ensure these remediation steps have been completed,” the company notes.
