Skip to Content
Get started
Open search
Back to Security Advisories
Informational

Informational

Advisory: Fortinet “FortiBleed” Credential Exposure and Sophos VPN Bruteforcing Campaign

CVE(S)

N/A

PRODUCT(S)

Sophos Firewall

Updated

2026 Jun 19

Article Version

1

First Published

2026 Jun 20

Publication ID

fortinet-fortibleed-credential-exposure-and-sophos-vpn-bruteforcing-campaign

Workaround

No

Overview

Earlier this week, cybersecurity researchers discovered a large cache of Fortinet device credentials belonging to a malicious threat actor. Dubbed 'FortiBleed', this trove of information contained credentials for Fortinet devices belonging to many organizations, both large and small

On June 19, 2026, Sophos received information from a 3rd party that the threat actors had also targeted Sophos Firewall networking appliances that were exposed to the internet. Our investigation indicates that this campaign targeted user-level accounts on Sophos VPN devices with credential brute-forcing/stuffing. While the targeting appears to have been widespread, our investigation is still ongoing. Based on the telemetry we’ve reviewed so far, we have not seen indications of compromise on affected Sophos devices. We also have not seen anything to suggest this activity involved exploitation of a vulnerability in Sophos firewall appliances.

This investigation is ongoing with continual monitoring. We will communicate additional findings directly with Sophos customers and update this advisory if major discoveries are made.

We advise customers with Sophos networking equipment to harden their devices to credential stuffing attacks using measures such as multi-factor authentication.

Detail

On June 13, 2026, security researcher Bob Diachenko discovered an open server containing valid usernames, email addresses, and plaintext passwords, which were subsequently verified by independent analysts. The dataset reportedly covers over 21,000 unique domains and includes major multinational corporations and government organizations across 194 countries, with some reports describing roughly half of internet-facing Fortinet firewalls as represented in the dataset.

FortiBleed is not currently understood as one single named CVE. The public evidence points to the credentials having been harvested through a combination of exposed management surfaces, brute-force attacks, credential material recovered from Fortinet configuration files, and hash-cracking. There is limited technical detail on the initial access vector beyond brute-force and configuration export from the compromised Fortinet appliance.

Sophos MDR’s earliest confirmed sighting of abuse took place on June 2, 2026, when we responded to a detected export of a Fortinet FortiGate configuration file to an external IP. Sophos detections “PD-FORTINET-FORTIGATE-SYSTEM-CONFIG-DOWNLOAD-EXTERNAL-IP-1” and “XDR-fortinet-fortigate-system-config-file-has-been-downloaded-by-user-name-via-guiipaddress” specifically identify configuration export.

There is no direct evidence in the reporting that the FortiBleed campaign is directly linked to exploitation of recent Fortinet CVEs, but the operational impact is severe: attackers with valid credentials can achieve full remote access, bypassing most network defenses. Exposed credentials can allow an attacker to log in to perimeter security devices, change firewall or VPN configuration, create persistence, access internal authentication systems, and use the device as a foothold into the wider network.

On June 18, 2026, both the US Cybersecurity & Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) published cybersecurity advisory alerts (see References below) urging the hardening of Fortinet devices in light of these reports.

Guidance for Sophos Customers

If you have Sophos Firewalls active in your environments:

  • Our investigation indicates that the threat actor specifically targeted Sophos Firewall appliances that lacked MFA protection. We urge our customers to enable this feature on their externally accessible accounts wherever possible, regardless of the manufacturer of their equipment.
  • Follow our Sophos Firewall Hardening Guide (see References below) and ensure MFA is enabled and enrolled for all users who have access to authenticate with the Admin, User, or VPN portals.

If you have Fortinet devices active in your environments:

  1. Scope exposure
  2. Leverage Hudon Rock’s FortiBleed tool (see References below) to check if one or more of your devices and respective credentials are identified in the dataset.
  3. Inventory all Fortinet FortiGate, FortiOS, FortiProxy, FortiWeb, and related edge devices. Identify which have internet-facing management, SSL VPN, or administrative interfaces.
  4. Terminate sessions and rotate credentials
  5. Terminate all active SSL VPN and administrative sessions. Reset all Fortinet local administrator, VPN, API, and service-account credentials. Rotate any LDAP, RADIUS, Active Directory, TACACS+, SAML, or other authentication credentials used by the device. Rotate shared/reused credentials on other edge devices as well.
  6. Lock down management access
  7. Remove administrative access from public internet-facing interfaces wherever possible. Restrict management to trusted internal networks, jump hosts, VPN with MFA, or out-of-band management. Use trusted-host restrictions and local-in policies. Disable unused SSL VPN, administrative, API, and remote access services.
  8. Enforce MFA
  9. Enable phishing-resistant MFA where supported for all administrator and remote-access accounts. At minimum, enforce MFA on every VPN, external gateway, administrator, and privileged account. Single-factor password access is not safe for internet-facing perimeter systems.
  10. Patch and harden
  11. Upgrade to the latest supported FortiOS and related Fortinet releases using Fortinet's recommended upgrade path. Follow Fortinet’s best practice guidance for hardening appliances including enforcing administrator credential storage usage of PBKDF2 (see References below).
  12. Enable Fortinet integrations for Sophos MDR/XDR (if possible)
  13. Provide MDR visibility into activity on Fortinet appliances by sending telemetry events from Fortinet appliances to Sophos MDR via the Sophos Central Firewall integration pack. This may require additional licensing.

What Sophos MDR (Managed Detection Response) is Doing

Sophos MDR has been privy to intelligence and has been conducting threat hunts since early this week.

Cases have been raised for customers we have been able to identify as being impacted. However, we urge all Fortinet customers to follow the above guidance given the potential for telemetry gaps and visibility blind spots (due to lack of configured / misconfigured integrations, incomplete rollouts, etc).

Additionally, Sophos MDR has relevant, preexisting detections for Fortinet appliances that identify behaviors exhibited by the actor(s) behind this campaign that predate the campaign and intelligence related to it. These detections predicate on the enabling of the Fortinet integrations in Sophos Central.

Sophos researchers are continuing to investigate the targeting of Sophos Firewall appliances in this campaign. We will communicate additional findings and/or reach out to affected customers where appropriate.

Sophos MDR will continue to actively monitor for signs of compromise activity that can be linked to this campaign, as well as monitor and action intelligence as it emerges. We will notify customers should any suspicious or malicious behavior be observed in your estate(s).

References