Views:

Am I affected?

Check your exposure now. The following third-party tools let you enter your domain to see whether it appears in the compromised dataset:

 

You may be at risk if all or several of the following apply:

 

  • You operate FortiGate firewalls with the management interface or SSL VPN portal reachable from the internet.

  • You are running FortiOS firmware older than 7.6.1, 7.4.8, or 7.2.11 (the releases that introduced PBKDF2 password hashing).

  • You have not enforced multi-factor authentication (MFA) on administrator accounts.


  •  

Is this a Fortinet vulnerability? Is there a CVE?

 

No specific CVE is attributed to the primary attack vector. The core threat is credential-based: brute-forcing exposed management interfaces using stolen or leaked credentials, combined with GPU-accelerated password-hash cracking — not exploitation of a Fortinet software flaw.

Security researchers have noted signals that additional exploitation techniques may emerge, including an underground auction post referencing a CVE "soon to be closed" and indications that the group is working toward at least one undisclosed zero-day. Treat these as developing, unconfirmed factors rather than the current mechanism.

Bottom line: Patching alone is not sufficient. Because the threat is credential-based, effective protection requires credential rotation, MFA enforcement, and removing management interfaces from direct internet exposure.


What you should do now

 

  1. Check your exposure using the lookup tools listed above.

  2. Restrict management-interface access. Remove FortiGate management interfaces and SSL VPN portals from direct internet exposure immediately.

  3. Rotate all credentials — VPN, firewall admin, and any service accounts on FortiGate devices.

  4. Enforce MFA on all external gateways and administrative interfaces, without exception.

  5. Upgrade FortiOS to 7.6.1+, 7.4.8+, or 7.2.11+, then have every administrator log in after the upgrade. The login is required to convert the legacy SHA-256 password hash to PBKDF2 — pushing firmware alone does not remediate this.

  6. If you find suspicious logins, assume full compromise. Check for unauthorized/backdoor admin accounts, review firewall rule changes, and investigate Active Directory for signs of lateral movement. Consider device replacement in severe cases.

  7. Block known attacker infrastructure. Trend Micro publishes the associated indicators of compromise (see "Indicators of compromise" below).


  8.  

How TrendAI protects you

 

The initial compromise phases are credential-based: the attacker abuses native FortiOS CLI commands over SSH and moves laterally through legitimate protocols (SMB, LDAP, Kerberos) without dropping binaries on the FortiGate or on internal endpoints. This makes early-stage activity difficult to detect through file-based methods alone. However, TrendAI provides coverage across several stages of this threat:

 
  • Post-compromise and ransomware activity: If the attacker progresses to lateral movement or ransomware deployment, TrendAI endpoint and network solutions detect the associated ransomware payloads and post-compromise tooling.
  • TrendAI Vision One Emerging Threat entry: A dedicated entry covers this campaign and its tooling. Vision One customers can use it alongside the published hunting queries to search their environment.
  • Hunting queries: TrendAI Vision One provides hunting queries to detect outbound connections to known FortiBLEED infrastructure.
  • Observed Attack Techniques (OAT) and container runtime coverage: Detections are in place for the reconnaissance and discovery techniques used in this campaign, including mass-scanning activity and domain account discovery:
    • OAT: Existing filter detections: Masscan scanning (F14784 / High), Masscan network scanner usage (F4680 / Medium), domain account discovery via ldapsearch (F5847 / Low), network discovery tool installation (F13448 / Low), suspicious Unix package installs (F4681 / Low)
    • Workbench Alert:  Masscan searching for Docker ports across Class A-sized CIDR range (High)
    • FRM Container (Falco): Masscan scanning (F14784 / High), network scanning tool execution in container (F15490 / Low)

 


Is this connected to ransomware?

 

Yes. As of late June 2026, security researchers (SOCRadar) established a direct link between the FortiBLEED operators and the INC Ransom and Lynx ransomware-as-a-service operations, including a single operator managing negotiation panels for both groups. At least 12 ransomware deployments stemming from FortiBLEED-derived access have been confirmed, and the operation is assessed to involve roughly 20 personnel in a hierarchical structure.

This significantly raises the urgency: FortiBLEED access is not only being sold — it is being directly weaponized for ransomware, with confirmed full-domain compromise and administrator-level access at hundreds of organizations across 150+ countries.


Is the campaign still active?

Yes. As of the latest reporting, the campaign remains active. Attacker infrastructure continues to operate, sniffer deployments on compromised FortiGate devices are ongoing, and underground auctioning of FortiBLEED-derived access confirms continued monetization. Researchers have indicated a forthcoming technical whitepaper on the group's use of AI tooling for vulnerability research.


Indicators of compromise (IOCs)

TrendAI maintains a current IOC set for this campaign, including file hashes for known attacker tooling and attacker infrastructure IP ranges. TrendAI Vision One customers can access the IOCs and detection mappings through the Emerging Threat entry and hunting queries in their console.