Fortibleed: What we know and how N‑able is responding
By N‑able
Bottom line
N‑able’s Adlumin MDR and Nightscope Threat Research teams have reviewed publicly available indicators related to a large list of potentially compromised Fortinet devices, known widely as the Fortibleed list.
Using those indicators and Adlumin investigation tools, we performed reviews of our customer and partner telemetry to identify evidence of possible impact. Our MDR team has begun outreach to customers and partners based on findings that emerge from our analysis of available data. We will continue to monitor and engage, providing guidance and support to those we believe were impacted.
Additionally, we have implemented detection logic to monitor for further activity that might match patterns of behavior indicative of malicious activity.
We will continue to follow the situation for any further developments to these findings.
Background
Security researchers recently identified a directory open to the public internet appearing to contain a vast number of Fortinet device credentials. The researchers assert that the bad actors performed mass scans and brute force login attempts against Fortinet devices. According to these researchers, after a successful compromise using that mass scan and brute force, the adversaries captured hashed Fortinet credentials by listening in on network traffic. These hashed credentials were then “cracked” to reveal the plaintext login details. This would allow unauthorized access to SSL VPN using valid account credentials.
Some researchers say, more than 70,000 Fortinet devices may have been affected by this campaign.
Best practices
Although there is no definitive evidence that any disclosed Fortinet vulnerability was exploited for this campaign, we highly recommend that organizations apply security fixes to network edge devices in a timely manner.
Similarly, best practices call for all default remote management and administration credentials to be changed before network devices are put into use.
If supported on your network access control or VPN technology, we also recommend implementing device posture assessments, endpoint compliance checks, or zero trust network access controls to ensure only known and authorized endpoints can access your internal network resources.
Additionally, an advisory around hardening best practices for Fortinet devices has been published by the U.S. Cybersecurity & Infrastructure Security Agency (CISA) in response to the Fortibleed events.
© N‑able Solutions ULC and N‑able Technologies Ltd. All rights reserved.
This document is provided for informational purposes only and should not be relied upon as legal advice. N‑able makes no warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information contained herein.
The N-ABLE, N-CENTRAL, and other N‑able trademarks and logos are the exclusive property of N‑able Solutions ULC and N‑able Technologies Ltd. and may be common law marks, are registered, or are pending registration with the U.S. Patent and Trademark Office and with other countries. All other trademarks mentioned herein are used for identification purposes only and are trademarks (and may be registered trademarks) of their respective companies.
Originally published: June 19th, 2026