A Russian-speaking cybercriminal syndicate has quietly harvested verified administrator and VPN credentials from 86,644 Fortinet FortiGate firewalls across 194 countries, exposing roughly half of all internet-facing Fortinet perimeter devices in what researchers are calling the largest industrialized credential-harvesting campaign in Fortinet’s history. The incident, dubbed FortiBleed, surfaced publicly on June 13, 2026, when security researcher Volodymyr “Bob” Diachenko stumbled onto an exposed threat actor server hosting a growing database of validated credentials alongside automated attack tooling. By June 19, 2026, the confirmed device count had climbed to 86,644 unique compromised devices.

CISA issued an emergency advisory on June 18, the UK National Cyber Security Centre (NCSC) published a global warning, and Fortinet’s own Product Security Incident Response Team (PSIRT) issued a formal blog post, all within a six-day window. Samsung, Siemens, Oracle, DHL, Accenture, Infosys, and Foxconn are among the named organizations in the exposed dataset. A Turkish NATO defense contractor suffered confirmed exfiltration of classified defense documents. FortiBleed has no single CVE number, because it is a credential-harvesting campaign rather than a newly disclosed software flaw. But its operational sophistication, a 45-GPU cracking cluster, credentials organized by sector and revenue, and active dark-web trading, places it firmly in the category of nation-state-grade offensive infrastructure.

What Is FortiBleed?

FortiBleed is a large-scale credential-compromise campaign targeting internet-facing Fortinet FortiGate firewalls and SSL VPN gateways. The name reflects the “bleeding” of valid administrative and VPN credentials from perimeter devices that many organizations believed were secure. Unlike a zero-day exploit, FortiBleed does not rely on a newly discovered software vulnerability. Fortinet’s PSIRT says the activity involves threat actors reusing credentials from prior incidents (referenced internally as FG-IR-26-060 and FG-IR-25-647) combined with brute-force techniques against devices that have weak password hygiene and no multi-factor authentication.

The root cause is a specific weakness in FortiOS credential management. When administrators upgrade FortiOS from older firmware versions, administrator passwords remain stored as SHA-256 hashes with salt until the administrator manually logs in after the upgrade. This older storage format is substantially more vulnerable to offline cracking than the PBKDF2 method with randomized salt that Fortinet introduced in early 2025. Attackers specifically targeted devices where this post-upgrade credential refresh had not occurred, meaning fully patched hardware on recent firmware could still carry crackable credentials inherited from an earlier configuration state. Kevin Beaumont, a senior security researcher who analyzed the dataset, confirmed this directly: “Many of the devices sampled are on fairly recent patches. The data appears to have come from exports of config from the devices, as it includes things which are only visible from the device itself.”

How Researchers Discovered the Dataset

Diachenko, operating independently, identified a publicly exposed threat actor server on June 13, 2026. The server hosted a structured database of validated FortiGate credentials alongside automation scripts and tooling the syndicate used in the harvesting operation. He immediately published his findings and attributed the campaign to a Russian-speaking threat group. Security firms Recorded Future, Field Effect, SOCRadar, Hudson Rock, Bitsight, and Arctic Wolf independently validated portions of the dataset within 48 hours.

Recorded Future analyzed 73,932 unique FortiGate firewall URLs across more than 21,600 domains. Beaumont and Hudson Rock subsequently confirmed the credentials were authentic through controlled verification with affected organizations. By June 16, SOCRadar and Hudson Rock formally disclosed the FortiBleed campaign analysis. CISA added the campaign to its advisory catalog on June 18, and UK NCSC issued a global alert the same day, framing FortiBleed as a “global campaign targeting internet-facing Fortinet firewalls and VPN gateways using methods including brute-force, dictionary attack, and credential stuffing.”

How Attackers Built 86,644 Credentials: A 7-Step Playbook

FortiBleed was not opportunistic. SOCRadar’s analysis identified a professionalized seven-step productization lifecycle that transformed mass scanning into a precision targeting tool for ransomware groups and initial access brokers.

  • Mass scanning: The syndicate scanned 59.3 million internet-connected hosts to fingerprint 437,000 FortiGate devices. Ports targeted included the default HTTPS port 443 for SSL VPN interfaces plus non-standard ports 4443, 8443, and 10443, capturing both default and custom deployment configurations.
  • Authentication hash interception: Threat actors intercepted SSL VPN authentication hashes from identified targets during login attempts or configuration extraction operations linked to prior vulnerability exploitation.
  • Offline cracking at scale: A dedicated 45-GPU cluster managed via Hashtopolis broke SHA-256 password hashes in bulk. Recorded Future documented approximately 1.16 billion credential attempts against 320,777 FortiGate targets during the campaign’s active phase.
  • Validation: The syndicate verified cracked credentials against live devices before adding them to the dataset. More than 30,791 credentials passed live validation in one analyzed subset.
  • Dataset indexing: Credentials were organized by organization revenue, industry vertical, and geography, converting a raw credential leak into a precision sales inventory for follow-on attackers.
  • Underground monetization: The dataset was offered on Russian cybercrime forums and Telegram channels, with tiered pricing based on target value. Bitsight confirmed at least one active seller operating on a Russian criminal forum as of mid-June 2026.
  • Follow-on intrusion: Buyers used purchased credentials to pivot into internal Active Directory environments, deploy post-exploitation tunneling tools, and stage ransomware operations against high-value targets.

Ensar Seker, CISO at SOCRadar, described the operation in stark terms: “This is not a routine credential dump. It is an industrialized harvesting operation that ended in real exfiltration, including from a NATO-aligned defense contractor. That is exactly why we are putting the most complete view of this incident into defenders’ hands.”

The SHA-256 Hash Cracking Operation Behind FortiBleed

The technical core of FortiBleed is an offline password cracking operation that exploited a legacy weakness in FortiOS credential storage. Fortinet switched from SHA-256 with salt to the more hardened PBKDF2 scheme in early 2025 for newly set passwords. However, FortiOS does not automatically re-hash existing credentials during a firmware upgrade. Any administrator who set a password before the PBKDF2 transition and did not manually log in and reset credentials after upgrading was still storing credentials under the older, weaker format, even on a fully current firmware version.

The 45-GPU cluster managed via Hashtopolis allowed the syndicate to crack SHA-256 hashes at scale across hundreds of thousands of device configurations extracted through prior vulnerabilities and brute-force sessions. The credential types exposed in the dataset break down as: generic admin accounts (35%), built-in Fortinet system accounts (28.3%), and organization-specific accounts (36.7%). The first two categories together represent 63.3% of the total, almost entirely default or semi-default credentials that many administrators never changed from factory settings or initial deployment configurations.

Beaumont also flagged the management interface exposure problem: “In a majority of cases, the FortiGate Management Interface is exposed to the internet on impacted devices.” This is a foundational network hygiene failure, and it amplified the damage of FortiBleed by removing the air gap that would have limited attacker access to internal management surfaces even after credential compromise.

Geographic Breakdown: India and the US at the Center

The FortiBleed dataset spans 194 countries, making it one of the most globally distributed credential exposure events in cybersecurity history. Field Effect’s analysis places the highest concentration of exposed credentials in India, the United States, and Mexico. The Hacker News and CISA advisories cite a top five of India, the US, Mexico, Colombia, and Thailand. Both analyses converge on India and the US as the primary targets by volume, reflecting the size of Fortinet’s enterprise customer base in those markets.

The geographic precision of the dataset underscores the syndicate’s commercial intent. By tagging each credential set with country, sector, and estimated organization revenue, the operators created a product suitable for resale to ransomware affiliates who specialize in specific geographies. An affiliate group targeting North American healthcare, for example, could purchase a filtered credential list for that specific vertical without needing to acquire or operate scanning infrastructure independently. This marketplace efficiency is what Bitsight analysts describe as the shift toward an “operational access-as-a-service model” rather than traditional one-time breach activity.

Industries in the Crosshairs

SOCRadar’s sector analysis of the US-centric subset identified healthcare as the single most exposed vertical, representing 26.7% of affected device count. Technology companies and financial services both came in at 21.3%. The CISA advisory and Hacker News reporting, drawing from a global data cut, identified telecom, government, and education as the top three impacted sectors, with critical infrastructure as a secondary priority target for the syndicate’s follow-on intrusion buyers.

SectorShare of Exposed DevicesPrimary Risk
Healthcare26.7% (US subset)HIPAA data, ransomware disruption of care delivery
Technology21.3% (US subset)Source code, IP, supply chain pivot to customers
Financial Services21.3% (US subset)Payment data, fraud, wire transfer diversion
GovernmentHigh (global cut)Classified data, national security, espionage
TelecommunicationsHigh (global cut)Communications interception, network-level access
EducationModerate (global cut)Research data, student PII, limited security budgets
Manufacturing / Critical InfrastructureModerateOT/ICS adjacency, ransomware production disruption

Hudson Rock framed the sector breadth in terms that underscore systemic risk: “The scale of this breach touches nearly every sector of the global economy, sparing no industry. The threat actors have built a verified database of working credentials for some of the largest enterprises on the planet.”

Named Organizations: Samsung, Siemens, Oracle, and More

Help Net Security’s reporting confirmed that the FortiBleed dataset contains credentials linked to a number of globally recognized organizations. Confirmed or reported names include Samsung, Siemens, Foxconn, Oracle, Accenture, DHL, Infosys, and Fortinet itself. Government agencies and critical infrastructure operators appear alongside these corporate names in the exposed dataset. The inclusion of Fortinet’s own credentials in a dataset of Fortinet customer credentials reflects an irony the cybersecurity industry found particularly striking.

None of these organizations have publicly confirmed the specific nature of data exposed or follow-on incidents as of June 21, 2026. However, the presence of verified live credentials for devices belonging to these organizations means that even without a confirmed downstream breach, the attack surface is open for any buyer of the dataset to exploit. This is the mechanism that distinguishes FortiBleed from a historical data dump: the credentials were validated against live devices, meaning the threat is present-tense, not past-tense. Security teams at these organizations cannot treat FortiBleed as a closed incident until they have rotated every credential and audited every authentication log for the June 1 through June 21 window.

The NATO Contractor Breach: Classified Documents Exfiltrated

The most severe confirmed impact from FortiBleed involves a Turkish NATO defense contractor whose classified defense documents were exfiltrated by the threat syndicate. Diachenko disclosed this directly in his initial reporting: “At least four organizations across Japan, Taiwan/Vietnam, Iraq, and Turkey were fully compromised, including a Turkish NATO defense contractor whose classified defense documents were exfiltrated.”

The specific nature of those classified documents has not been publicly disclosed. The significance of this breach extends beyond the Turkish contractor itself: NATO-adjacent document exfiltration by a Russian-speaking threat group, in a geopolitical environment defined by active Russian offensive operations in Ukraine and sustained Russian intelligence targeting of NATO infrastructure, raises the possibility that FortiBleed has a strategic intelligence collection dimension operating in parallel with its commercial credential-trafficking activity. SOCRadar’s analysis of the dataset noted it was indexed for both commercial resale and “high-impact pivots,” a phrase that aligns with a dual intelligence-gathering and ransomware-enablement profile.

The four confirmed full compromises span four distinct geographies: Japan, Taiwan or Vietnam, Iraq, and Turkey. Each represents a different strategic priority. The Asia-Pacific electronics and semiconductor supply chain, Middle Eastern infrastructure, and a NATO member’s defense industrial base are each high-value targets for Russian intelligence services. The geographic diversity of confirmed compromises supports the interpretation that the syndicate serves multiple buyers with distinct targeting requirements rather than operating as a single-purpose ransomware group.

Post-Exploitation Tooling and Underground Trading

Bitsight’s threat intelligence team identified post-exploitation tooling associated with FortiBleed-derived access. The primary tools observed are Chisel and Neo-reGeorg, both HTTP-tunneling utilities that allow attackers to route traffic through compromised hosts in ways that blend with normal web traffic. Chisel, a Go-based fast TCP/UDP tunnel, is widely used in penetration testing engagements and by threat actors alike. Its presence in FortiBleed-linked intrusions suggests attackers used compromised firewalls as tunneling relays into internal networks rather than simply harvesting credentials and leaving. EternalBlue, the NSA exploit for Windows SMB vulnerabilities, was also observed in at least some post-exploitation chains, indicating lateral movement attempts through internal Windows environments after firewall access was established.

The underground trading layer adds a second-order risk. Even organizations that patch and reset credentials now face exposure from credentials already sold into criminal marketplaces before the public disclosure on June 13. Bitsight researchers documented active sales on Russian cybercrime forums and Telegram channels, with dataset access structured around tiered pricing based on the revenue and sector of the target organization. This market structure means that the threat from FortiBleed does not end when organizations rotate credentials. Buyers who purchased access before June 13 may have already established persistence through Chisel or Neo-reGeorg tunneling that survives a credential reset entirely.

CISA and UK NCSC Response Timeline

DateEventActor
June 13, 2026Diachenko discovers exposed threat actor server and publishes initial disclosure; attributes campaign to Russian-speaking groupVolodymyr Diachenko
June 13–17, 2026Recorded Future, Hudson Rock, Beaumont validate dataset; 73,932 unique firewall URLs confirmedSecurity researchers
June 16, 2026SOCRadar and Hudson Rock publish formal FortiBleed campaign analysisSOCRadar / Hudson Rock
June 17, 2026Arctic Wolf, Field Effect, Bitsight publish independent analyses; 21,000+ domains confirmed across 194 countriesMultiple security firms
June 18, 2026CISA issues emergency advisory; UK NCSC publishes global warning; Fortinet PSIRT issues response; count reaches 86,644 devicesCISA, UK NCSC, Fortinet
June 19, 2026The Hacker News, Help Net Security, Recorded Future publish full analysis; named organizations (Samsung, Oracle, Siemens) confirmedSecurity press
June 21, 2026Active credential trading confirmed on Russian forums; underground sales ongoingBitsight / CISA

CISA’s June 18 advisory outlined specific remediation requirements: terminate all active SSL VPN and administrative sessions, reset all FortiGate VPN and administrative passwords with immediate effect on all internet-facing systems, enforce strong password policies across the entire Fortinet estate, implement MFA on all administrator and VPN user accounts, upgrade to the latest FortiOS 7.4, 7.6, or 8.0 branches, review logs for unauthorized logins and configuration changes, restrict or remove external internet access to management interfaces, and consider replacing devices that show signs of suspicious post-compromise activity.

Fortinet’s Position: Not a New Vulnerability

Fortinet’s PSIRT was careful to draw a distinction between FortiBleed and a software vulnerability disclosure. The company’s official position, published June 19, 2026: “This is not a new Fortinet vulnerability, and this activity is not related to any recent incident or advisory. Based on our initial analysis, we believe the activity involves threat actors reusing credentials from previous incidents and employing brute-force techniques against devices with weak password hygiene and no multi-factor authentication. Upon identifying the incident, we immediately began an investigation, including collaborating with relevant government agencies.”

Fortinet’s framing is technically accurate but operationally contested by the security community. The SHA-256 hash storage weakness for non-refreshed credentials is a design choice rather than a newly discovered software flaw, and the company’s recommendation to upgrade to 7.4, 7.6, or 8.0 branches specifically addresses the hash format issue by switching new credential storage to PBKDF2. Two related CVEs active in the broader FortiBleed context are CVE-2026-24858, an authentication bypass using an alternate path or channel affecting FortiAnalyzer, FortiManager, FortiOS, FortiProxy, and FortiWeb when FortiCloud SSO is enabled; and CVE-2025-59718 and CVE-2025-59719, FortiCloud SSO authentication bypass vulnerabilities tied to improper verification of cryptographic signatures.

Whether Fortinet’s position holds up to regulatory and legal scrutiny remains to be seen. The affected organizations, including government agencies and NATO-aligned defense contractors, may have grounds to argue that Fortinet’s failure to automatically re-hash credentials on firmware upgrade constituted a foreseeable design defect rather than administrator error. That argument has not yet appeared in any public filing as of June 21, 2026.

How FortiBleed Compares to Previous Fortinet Incidents

Fortinet devices have been high-value targets for state-sponsored actors and cybercriminals for years. FortiBleed sits at the top of that historical timeline in terms of scale, but it follows a well-documented pattern of serious prior incidents that security teams at Fortinet-dependent organizations should know.

  • 2019 Fortinet SSL VPN credential leak: A threat actor published plaintext credentials for nearly 500,000 Fortinet VPN accounts, harvested by exploiting CVE-2018-13379, an unauthenticated directory traversal flaw in FortiOS. This incident first demonstrated Fortinet’s value as a target for credential-focused campaigns at scale.
  • CVE-2024-21762 (February 2024): An out-of-bounds write in FortiOS SSL VPN, CVSS 9.6, actively exploited within days of disclosure. Volt Typhoon, a Chinese state-sponsored threat actor targeting critical infrastructure, was among the groups confirmed to have used this flaw for initial access.
  • CVE-2024-55591 (January 2025): An authentication bypass in FortiOS and FortiProxy, CVSS 9.6, allowing unauthenticated attackers to gain super-admin privileges. Exploitation began before the patch was available and CISA issued an emergency advisory within 24 hours of disclosure.
  • FortiBleed (June 2026): No new CVE. Credential compromise affecting 86,644 devices in 194 countries. The largest Fortinet-related security incident by device count in the company’s history, and the first to involve dedicated GPU cracking infrastructure organized for credential marketplace operations.

The trajectory from roughly 500,000 credentials in 2019 to 86,644 verified live device credentials in 2026 shows both the persistence of the threat and the increasing operational sophistication of the threat actors. The 2019 incident relied on a single disclosed CVE. FortiBleed relies on a more complex combination of prior vulnerability exploitation, hash cracking, credential reuse, and brute force, representing a multi-vector approach that is harder to attribute to any single remediation failure.

What Security Teams Must Do Now

If your organization runs any Fortinet FortiGate firewall or FortiOS-based device, CISA, UK NCSC, and Fortinet have all issued the same core remediation guidance. The steps below are not optional if you have internet-facing Fortinet devices in your environment.

  1. Terminate all active sessions immediately. Log out all active SSL VPN and administrative sessions across every internet-facing FortiGate device. Do not wait for scheduled maintenance windows. Every active session is a potential lateral movement path.
  2. Reset all credentials. Change every FortiGate admin password and VPN user password across your entire Fortinet estate. This forces a re-hash under PBKDF2 on updated firmware, eliminating the crackable SHA-256 credentials. Upgrading firmware without resetting passwords does not fix the problem.
  3. Enable MFA on all access paths. Enforce multi-factor authentication for every administrator account and every VPN user account. CISA notes that MFA is the single most effective mitigation against the credential stuffing and brute-force attack types documented in FortiBleed.
  4. Upgrade FortiOS firmware. Update to FortiOS 7.4, 7.6, or 8.0 branches, which use PBKDF2 for new credential storage. Confirm you are on versions above 7.2.11, 7.4.8, and 7.6.1 to be outside the documented affected version range.
  5. Remove management interface internet exposure. Take management interfaces off the public internet. Apply strict access control lists to limit management access to internal jump hosts or dedicated admin networks with no direct internet path.
  6. Audit logs for signs of compromise. Review FortiGate authentication logs, configuration change logs, and VPN session logs for the period June 1 through June 21, 2026. Pay attention to admin sessions from unexpected source IPs, new accounts, and configuration exports.
  7. Check your domain against researcher lookup tools. Field Effect and other firms published lookup capabilities during the disclosure period. Verify whether your domain, email addresses, or usernames appear in the FortiBleed dataset.
  8. Assume post-exploitation if any credential matched. If your organization appears in the dataset, assume that a buyer may have already established Chisel or Neo-reGeorg tunneling persistence inside your network before June 13. Conduct a threat hunt for outbound tunneling traffic before concluding your remediation is complete.

5 Predictions for FortiBleed’s Aftermath

FortiBleed is an active, evolving situation as of June 21, 2026. The following predictions are grounded in the established pattern of similar large-scale credential exposure events and the specific characteristics of this campaign.

  1. Ransomware deployments will follow within 30 to 60 days. FortiBleed’s dataset is indexed by revenue and sector, which is precisely the targeting intelligence that ransomware affiliate programs use to select high-value victims. Based on the post-exploitation timeline from comparable credential leaks, the highest-revenue targets in the dataset will see ransomware deployment attempts between July and August 2026.
  2. At least three additional NATO-allied government compromises will be disclosed. The Turkish NATO contractor breach was confirmed by the researcher who discovered the dataset. The dataset also contains government credentials across 194 countries. Given the dataset’s active circulation in criminal markets, additional government-sector breaches linked to FortiBleed access will emerge over the next 90 days.
  3. Fortinet will face regulatory action in the EU and the US. The combination of European organizations in the dataset, healthcare’s 26.7% share of US exposure, and the NATO contractor breach creates a multi-jurisdictional regulatory exposure for Fortinet. GDPR fines, HIPAA breach investigations, and potential Congressional inquiries into the SHA-256 design decision are all plausible outcomes within a six-month window.
  4. Competing firewall vendors will see accelerated procurement inquiries. Events of FortiBleed’s scale historically drive evaluation cycles at affected organizations. Palo Alto Networks, Check Point, and Cisco are the most likely beneficiaries of procurement activity triggered by FortiBleed, particularly in the government and healthcare verticals where exposure was highest.
  5. A named attribution to a specific Russian threat group will emerge within six months. The current characterization of “Russian-speaking multi-operator syndicate” is consistent with early-stage attribution. As law enforcement agencies across affected countries analyze the campaign infrastructure, a named group will be publicly attributed. Kevin Beaumont’s analysis noted that “many of the reused credentials come from one specific Russian ransomware group,” which suggests attribution data already exists in private intelligence sharing channels.

For context on the broader 2026 threat landscape, see our related coverage:

Frequently Asked Questions

What is FortiBleed?

FortiBleed is a large-scale credential-harvesting campaign that exposed verified administrator and VPN credentials for 86,644 Fortinet FortiGate firewalls across 194 countries. It was discovered on June 13, 2026, by security researcher Volodymyr Diachenko, who found an exposed threat actor server hosting the stolen dataset alongside attack tooling. FortiBleed is not a single CVE; it is an operational campaign that combined credential reuse from prior incidents, SHA-256 hash cracking via a 45-GPU cluster, and large-scale brute force against internet-facing Fortinet devices.

Is my FortiGate device affected by FortiBleed?

Any internet-facing Fortinet FortiGate device that had administrator or VPN credentials set before Fortinet’s early 2025 PBKDF2 migration and did not have those credentials manually reset after a firmware upgrade may appear in the exposed dataset. Researchers estimated approximately 50% of all internet-reachable FortiGate devices are affected. Check whether your domain appears in published lookup tools, and treat any match as confirmed exposure requiring immediate credential rotation and MFA enforcement regardless of current firmware version.

Does patching FortiOS fix FortiBleed?

Upgrading to FortiOS 7.4, 7.6, or 8.0 is necessary but not sufficient. The firmware update switches new credential storage to PBKDF2, but it does not automatically re-hash existing administrator passwords stored as SHA-256. Organizations must upgrade firmware AND manually reset all credentials after the upgrade to eliminate the crackable hash format. Patching without a password reset leaves the underlying weakness in place for every account that has not logged in since before the PBKDF2 transition.

Who was behind the FortiBleed campaign?

Attribution analysis by Recorded Future, SOCRadar, and Field Effect identifies the threat actors as a Russian-speaking multi-operator cybercriminal syndicate. Bitsight confirmed at least one active seller on a Russian cybercrime forum. Kevin Beaumont noted that many of the reused credentials appear to originate from one specific Russian ransomware group, though formal public attribution to a named group had not been confirmed as of June 21, 2026. The operational sophistication, including dedicated GPU cracking infrastructure and revenue-indexed datasets, places this campaign at the level of organized criminal groups with nation-state-grade resources.

What organizations were named in the FortiBleed dataset?

Researchers confirmed credentials linked to Samsung, Siemens, Foxconn, Oracle, Accenture, DHL, Infosys, and Fortinet itself in the exposed dataset. Government agencies and critical infrastructure operators across multiple countries also appear. A Turkish NATO defense contractor suffered confirmed classified document exfiltration. None of the named private-sector organizations have publicly confirmed the full extent of their exposure as of this writing.

What is the difference between FortiBleed and CVE-2024-21762?

CVE-2024-21762 was a specific software vulnerability, an out-of-bounds write in FortiOS SSL VPN with a CVSS score of 9.6, that allowed unauthenticated remote code execution. It was patched in February 2024. FortiBleed is not a software vulnerability at all; it is a credential-harvesting campaign that exploits weak password hashing inherited from pre-2025 FortiOS versions, combined with credential reuse from prior incidents including CVE-2024-21762 exploitation. The two incidents are related in that CVE-2024-21762 may have contributed credentials to the FortiBleed dataset, but FortiBleed itself does not have an associated CVE number.

What should I do if my organization uses Fortinet firewalls?

Follow CISA’s June 18, 2026, guidance: terminate all active sessions immediately, reset all admin and VPN credentials, enforce MFA across all access paths, upgrade to FortiOS 7.4 or later, remove management interfaces from internet exposure, and audit logs for unauthorized access between June 1 and June 21, 2026. If your domain appears in FortiBleed lookup tools, assume breach and initiate a threat hunt for tunneling persistence using Chisel or Neo-reGeorg before concluding remediation. Organizations in healthcare, government, and critical infrastructure should notify their sector-specific regulatory body of the potential exposure.