FortiBleed Explained: How an Access Broker Exploited 430K FortiGate Firewalls

FortiBleed Explained: How an Access Broker Exploited 430K FortiGate Firewalls

Key Takeaway: A Russian-speaking threat actor dubbed FortiBleed ran one of the largest passive credential-harvesting campaigns ever documented — targeting 430,000 FortiGate firewalls globally, deploying custom packet sniffers, and stockpiling an estimated 110 million credentials that were then funneled to ransomware operators including INC Ransom, Lynx, and Akira. Active exploitation of CVE-2026-35616 is confirmed and CISA has added it to the KEV catalog. Patch immediately and rotate all credentials that traversed affected firewalls.

FortiBleed is not a single vulnerability — it is the security community’s name for a two-pronged campaign discovered by Orca Security researcher Alex Delamotte in early July 2026. On one side, a Russian-speaking access broker ran mass internet scans to identify vulnerable FortiGate firewalls and harvest credentials directly from network traffic. On the other, threat actors exploited CVE-2026-35616, a critical vulnerability in FortiClient EMS (CVSS 9.1), to deploy the FortiClientGhost backdoor on corporate endpoints.

The scale is staggering. Delamotte’s research, published on July 8, found evidence that over 110 million credentials were harvested through passive packet sniffing alone — without needing to authenticate to the devices. Combined with the CVE-2026-35616 exploitation path, FortiBleed has become one of the most significant enterprise security events of 2026.

Here is what happened, how it works, and what IT teams need to do right now.

How the Credential Harvesting Worked

The core of the FortiBleed campaign is disturbingly simple. The access broker built a custom tool called FortigateSniffer — a modified packet sniffer designed to extract cleartext credentials from TLS-encrypted FortiGate traffic. The tool exploits a fundamental weakness in how many FortiGate devices handle certificate validation during TLS inspection.

When a FortiGate firewall performs TLS inspection (man-in-the-middle decryption for security scanning), it terminates the TLS connection and re-encrypts traffic to the destination. If the device is misconfigured — or if it is running firmware that defaults to weak certificate validation — the FortigateSniffer can intercept the decrypted traffic and extract usernames and passwords in plaintext.

The attacker did not need to compromise the firewalls. They scanned the internet for FortiGate devices that had TLS inspection enabled with weak configurations, then passively captured credential data from the decrypted traffic streams. The tool was deployed across approximately 12,000 devices globally, building a massive credential database over weeks of operation.

CVE-2026-35616: The FortiClient EMS Backdoor

The second prong of the campaign targets FortiClient EMS (Endpoint Management Server), a centralized management platform used by enterprises to deploy and configure FortiClient VPN agents on employee devices.

CVE-2026-35616 is a critical vulnerability with a CVSS score of 9.1. It allows an unauthenticated remote attacker to execute arbitrary code on the FortiClient EMS server by sending a specially crafted request to the management interface. Once exploited, the attacker deploys the FortiClientGhost backdoor — a persistent implant that gives the attacker ongoing access to the compromised server and, by extension, to every endpoint managed by it.

CISA added CVE-2026-35616 to the Known Exploited Vulnerabilities (KEV) catalog on July 2, 2026, mandating that all federal agencies patch within 21 days. Fortinet released an emergency patch on July 1, but as of July 13, thousands of FortiClient EMS instances remain unpatched.

Who Is Behind It

Orca Security attributes the access brokerage operation to a Russian-speaking threat actor tracked as RedStinger. The FortigateSniffer infrastructure was first observed in April 2026, with the mass scanning campaign ramping up in May and June. The harvested credentials were distributed through a private Telegram channel and a dark web marketplace to multiple ransomware affiliates.

At least 12 confirmed ransomware deployments have been traced back to credentials sourced from the FortiBleed campaign. The most active buyers include:

  • INC Ransom — 5 confirmed victims, primarily in manufacturing and healthcare
  • Lynx — 4 confirmed victims, targeting financial services and legal firms
  • Akira — 3 confirmed victims, focused on education and government

The access broker appears to operate independently from the ransomware groups, selling credentials in bulk rather than conducting the attacks themselves. This separation makes attribution harder and allows multiple ransomware operations to leverage the same credential pool simultaneously.

Scale of the Exposure

The numbers are significant:

  • 430,000 FortiGate firewalls were targeted by the scanning campaign
  • ~12,000 devices had the FortigateSniffer actively deployed
  • 110 million+ credentials were harvested through passive sniffing
  • 12+ confirmed ransomware deployments linked to harvested credentials
  • CVSS 9.1 — the severity score for CVE-2026-35616

For context, Fortinet’s FortiGate is one of the most widely deployed enterprise firewalls globally. Gartner estimates that Fortinet holds approximately 23% of the network firewall market. A campaign targeting 430,000 devices represents a meaningful fraction of the installed base.

What IT Teams Need to Do Now

Orca Security published a detailed detection and remediation guide alongside the FortiBleed disclosure. The recommended actions are:

  1. Patch CVE-2026-35616 immediately. Fortinet released fixes on July 1. Update all FortiClient EMS servers to the latest patched version. If patching is not immediately possible, disable the management interface until the patch can be applied.
  2. Audit FortiGate TLS inspection configurations. Check all FortiGate devices for TLS inspection rules. Verify that certificate validation is set to strict mode (not “verify certificate” which may still allow weak configurations). Fortinet’s KB article FA-475047 provides specific guidance.
  3. Rotate all credentials that traversed affected firewalls. Any user or service account credentials that passed through a FortiGate device with TLS inspection enabled between April and July 2026 should be considered compromised. Rotate passwords, API keys, and service account tokens.
  4. Check for FortiClientGhost. Scan all endpoints managed by FortiClient EMS for the FortiClientGhost backdoor. Fortinet’s IOCs (Indicators of Compromise) are published in their advisory.
  5. Review FortiGate firmware versions. Ensure all FortiGate devices are running the latest stable firmware. Several older firmware versions have known weaknesses in TLS certificate handling.

Why This Matters Beyond Fortinet

FortiBleed is a case study in how access brokerage fuels the ransomware economy. The credential harvesting was passive — no exploitation of zero-days, no phishing, no social engineering. The attacker simply scanned the internet for misconfigured devices and captured what was already exposed in transit.

This pattern is not unique to Fortinet. Any network appliance that performs TLS inspection is potentially vulnerable to similar traffic interception if certificate validation is weak. Palo Alto Networks, Cisco, and Check Point firewalls all have TLS inspection features that require careful configuration to prevent credential exposure.

The lesson for IT teams is clear: TLS inspection is a powerful security tool, but it creates a new attack surface. Every device that decrypts and re-encrypts traffic becomes a potential credential leak point. Configuration audits, certificate validation hardening, and regular credential rotation are not optional — they are foundational to network security.

FAQ

What is FortiBleed?
FortiBleed is the security community’s name for a two-pronged campaign combining passive credential harvesting from FortiGate firewalls and active exploitation of CVE-2026-35616 in FortiClient EMS. Over 110 million credentials were stolen.

Am I affected if I use FortiGate?
If your FortiGate firewall has TLS inspection enabled with weak certificate validation, your users’ credentials may have been captured. Audit your TLS inspection configuration and rotate all credentials that traversed the device.

What is CVE-2026-35616?
A critical (CVSS 9.1) remote code execution vulnerability in FortiClient EMS that allows an unauthenticated attacker to deploy the FortiClientGhost backdoor. CISA has added it to the KEV catalog. Patch immediately.

How do I check if my FortiClient EMS is compromised?
Scan all endpoints for the FortiClientGhost IOCs published by Fortinet. Check the FortiClient EMS server logs for unexpected administrative accounts or configuration changes.

Is this similar to FortiGate CVE-2023-27997 (XORtigate)?
Both target Fortinet infrastructure, but they are different vulnerabilities. CVE-2023-27997 was a heap-based buffer overflow in the SSL-VPN. CVE-2026-35616 targets the FortiClient EMS management server and is exploitable without authentication.

References

Leave a Reply