You patched your Fortinet devices. You got the compliance dashboard green. You moved on. And then FortiBleed arrived to explain why that wasn't enough. On June 18, 2026, Australia's Cyber Security Centre issued a critical alert: a Russian-speaking criminal group had cracked 73,932 verified, working administrator credentials for Fortinet devices across 194 countries — and the majority of those devices were already running patched firmware. Welcome to the most uncomfortable cybersecurity lesson of 2026.
How They Did It — Without Exploiting a Single New Vulnerability
There is no CVE number attached to FortiBleed. The threat actors didn't find a new zero-day. Instead, they exploited a structural gap in how Fortinet migrated its password hashing algorithm. Fortinet introduced PBKDF2-based password hashing — a stronger algorithm replacing legacy SHA-256 — in FortiOS versions 7.2.11, 7.4.8, and 7.6.1. The critical catch: when an organisation upgrades to a PBKDF2 version, existing admin credential hashes are NOT automatically re-hashed. They stay stored as SHA-256 until each individual administrator logs in after the upgrade. The Russian group systematically extracted SSL VPN configuration files from internet-exposed FortiGate devices, then ran the legacy SHA-256 hashes through a 45-GPU Hashtopolis cluster executing 1.16 billion cracking attempts per second. The result: 73,932 working passwords for real admin accounts.
Who Is on the List
The scale and target profile are what elevate this from a typical breach to a strategic intelligence event. Among the 73,932 cracked credentials: accounts at Fortune 500 companies, confirmed government agencies, and NATO contractors across 194 countries. The ACSC alert notes that post-access deployment includes LDAP, RADIUS, and Active Directory network sniffers — meaning successful access is being used to harvest further credentials across the broader corporate network, not just the Fortinet device itself. If you're in financial services, critical infrastructure, or any sector that connects to international supply chains, the probability that a partner or vendor is on this list is not zero.
The Governance Failure No Dashboard Caught
This is the story within the story. Every organisation that patched to FortiOS 7.4.8 or later and checked that box on its vulnerability management dashboard believed it had addressed the security debt. The patch manager was correct — the latest FortiOS does use stronger hashing. What the patch manager missed: completing the migration requires every individual administrator account to re-authenticate after the upgrade. In a large enterprise with dozens of Fortinet devices and multiple admin accounts on each device, that follow-through is an active operational task, not a passive outcome of patching. Most organisations never did it. FortiBleed found them.
What You Need to Do Right Now
The ACSC alert is explicit about the required response. First: use Hudson Rock's free FortiBleed credential lookup tool (search 'Hudson Rock FortiBleed lookup') to check whether any of your organisation's Fortinet device credentials appear in the cracked database. Second: immediately force re-authentication for every administrator account across your entire Fortinet fleet — not a password reset, but a verified, confirmed re-login to each device after the PBKDF2 upgrade. Third: verify completion. Until every admin account has logged in post-upgrade, the legacy SHA-256 hash remains the stored credential, regardless of your FortiOS version. Fourth: review VPN access logs from the past 90 days for anomalous admin access patterns.
The Broader Pattern Nigerian Organisations Should Recognise
Fortinet products are widely deployed across Nigerian enterprises, banks, telecoms, and government agencies — precisely because they offer enterprise-grade network security at accessible price points for African markets. That makes FortiBleed a Nigerian issue, not just a Western one. The ACSC alert covers 194 countries. If your organisation runs FortiGate VPN or firewall appliances, the 'did we actually complete the credential migration' question needs an answer today, not at the next quarterly security review. Nigerian IT teams: this is your action item for the week.
The 2026 Fortinet Arc That Should Concern Everyone
FortiBleed is the fourth distinct Fortinet security event of 2026: AI-assisted automated exploitation in February, FortiClient EMS exploitation in June, FortiSandbox exploitation on June 15, and now FortiBleed on June 18. This is not a single bad year for one vendor — it is a systematic signal that any vendor whose products hold administrative network access at scale has become a structured research target. The lesson for every security team is to treat your perimeter and VPN infrastructure with the same active defence posture you apply to your most sensitive application workloads.
Has your organisation audited its Fortinet admin credential migration status? What's your process for ensuring post-patch follow-through actually happens?
Originally featured on Help Net Security
