Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jun 19, 2026 · 5 min read

FortiBleed Exposed 73,000 VPN Passwords Across 194 Countries

A threat actor published plaintext VPN credentials scraped from 73,000 Fortinet firewall appliances in a public dump. The credentials were stolen years ago via CVE-2022-40684 — a path traversal flaw that many organizations never patched.

A dataset containing plaintext VPN usernames, passwords, and device IP addresses for 73,000 Fortinet firewall appliances across 194 countries appeared on a cybercriminal forum in June 2026. The dump — tagged "FortiBleed" by researchers — traces back to exploitation of CVE-2022-40684, a path traversal vulnerability in FortiOS that Fortinet patched in October 2022. The gap between patch release and active exploitation was days. The gap between active exploitation and public credential dump was years. Organizations that did not patch in 2022 now have their network credentials circulating freely.

Key Takeaways

  • 73,000 Fortinet FortiGate VPN appliances across 194 countries had credentials published in a public dump in June 2026.
  • The root cause is CVE-2022-40684, a path traversal flaw in FortiOS that allowed unauthenticated attackers to read and modify configurations including admin credentials.
  • Credentials were scraped during an active exploitation wave in late 2022; the same data has been circulating in private criminal forums for years before the public release.
  • Even patched appliances may be compromised: credentials harvested before patching remain valid unless explicitly rotated after the patch.
  • Organizations should assume any FortiGate deployed in 2022 without confirmed credential rotation is compromised and treat the incident as an active breach, not a historical near-miss.

What Is CVE-2022-40684?

CVE-2022-40684 is an authentication bypass vulnerability in the management interface of FortiOS, FortiProxy, and FortiSwitchManager. An attacker with network access to the management interface can send a crafted HTTP or HTTPS request that bypasses authentication entirely, giving them the ability to read the device configuration — including stored VPN credentials — or modify it to add unauthorized admin accounts.

Fortinet assigned the vulnerability a CVSS score of 9.8 (Critical) and released patches in FortiOS 7.0.7 and 7.2.2. The company also issued an emergency advisory urging immediate patching and recommending that organizations with internet-exposed management interfaces treat themselves as already compromised. CISA added CVE-2022-40684 to its Known Exploited Vulnerabilities catalog within days of the advisory — a designation that requires federal agencies to patch within a specified timeframe.

Network firewall appliances in a server rack with warning lights

Why Did It Take Three Years for These Credentials to Go Public?

The June 2026 public dump almost certainly does not represent the first use of these credentials. The standard lifecycle for a high-value credential dump involves initial exploitation for private use (ransomware staging, espionage access, credential resale to closed markets), followed by eventual publication once the credentials have been largely exhausted or superseded. The FortiBleed dataset likely passed through multiple ransomware affiliate groups and initial access brokers before appearing in a public forum.

This pattern means organizations affected by the dump face two distinct problems: the immediate risk from public credential exposure, and the much harder-to-assess question of whether their networks were already penetrated years ago. A threat actor who used FortiBleed credentials to establish persistent access in 2022 or 2023 may have maintained that foothold through separate, harder-to-detect mechanisms long after the original VPN credentials were rotated.

What Organizations Are in the Dump?

The dataset includes IP addresses for affected appliances. Security researchers at several threat intelligence firms have begun geolocating affected IPs; the highest concentrations are in the United States, Germany, India, and the United Kingdom, reflecting both the density of Fortinet deployments in those countries and the broad attack surface that internet-exposed management interfaces create.

Critical infrastructure organizations — energy utilities, healthcare networks, and financial services firms — appear in the data, according to analysis by Shadowserver Foundation. Shadowserver has been notifying affected network owners through its abuse contact notification service. Organizations that have not received a Shadowserver notification should not interpret silence as safety: not all IP addresses map cleanly to reachable abuse contacts.

The ServiceNow zero-auth API breach in June 2026 involved a similar pattern: credentials and configurations exposed through unpatched vulnerabilities, harvested at scale, and exploited against organizations that had not closed the window. The recurring theme is that the vulnerability lifecycle has a long tail — organizations that patch late still inherit the credential exposure window from before they patched.

What Should Affected Organizations Do Now?

If your organization deployed FortiGate VPN appliances in 2022 — even if you patched CVE-2022-40684 promptly — treat the following as mandatory:

  • Rotate all credentials immediately. VPN user credentials, admin passwords, and API keys associated with affected appliances should be treated as compromised regardless of patch status. Credentials harvested before patching remain valid until rotated.
  • Audit for unauthorized admin accounts. CVE-2022-40684 allowed attackers to create new admin accounts. Check your FortiGate admin user lists against your provisioning records and remove any accounts that cannot be attributed to authorized personnel.
  • Review logs from Q4 2022 onward. Look for anomalous management interface access, unexpected configuration changes, and outbound connections to IPs not in your baselines. Assume the initial access predates your patch date.
  • Restrict management interface exposure. The management interface should never be reachable from the internet. If it was in 2022, apply a network-level block and confirm it is currently inaccessible from external IPs.
  • Check against Shadowserver notifications. Contact Shadowserver at shadowserver.org if you have not received notification and want to verify whether your IP addresses appear in the dataset.

The Persistent Problem of Unpatched Network Infrastructure

Fortinet's CVE-2022-40684 advisory was explicit: patch immediately, restrict management interface access, assume compromise if the management interface was internet-exposed. Despite this, tens of thousands of organizations did not patch within the exploitation window. The reasons are structural — network appliances are harder to patch than servers, maintenance windows require downtime, and VPN appliances in particular are high-availability systems where patching means service interruption.

The June 2026 Microsoft Patch Tuesday release included multiple network infrastructure CVEs with similar severity scores. The FortiBleed timeline is a concrete illustration of what delayed patching costs, measured not in weeks but in years of residual exposure. The credentials that appeared in a public forum in June 2026 were the same credentials scraped in October 2022 — and may have been actively used for network compromise throughout the intervening period.

For security teams, the operational lesson is not "patch faster" in the abstract — it is "treat credential rotation as a mandatory companion to patching on any authentication-bearing system." A patch closes the vulnerability. It does not invalidate credentials that were already harvested before the patch was applied. Those must be rotated explicitly, and that rotation must be verified.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.