Sitting on the beach looking at the Atlantic there are rain clouds out on the horizon and they are not looking like they are going to cool the sands very much. That is fine. The nice man brought me this frozen drink with way not enough rum and way just barely enough fruit. If you have in your head an idea of a sandal wearing Santa Claus in board shorts holding something abysmally not masculine in his fist, you have not missed the boat here. Picture it exactly that way. Now picture that same man squinting at his phone in the glare, ignoring a perfectly good ocean, reading about FortiBleed and feeling the afternoon go cold from the inside out.

Because that is what happened. The drink is sweating in my hand and the clouds are rolling in and I am supposed to be off the clock, and instead I am two days deep into the reporting and the feeling will not leave me. It is the feeling you get out on the water at three in the morning when the wind dies and the boat just sits there and you realize the only sound is your own pulse. Something happened. Something big. And not one of the people who found it can tell you how it started.

The first thing you have to understand about FortiBleed is that the name is a lie. Not a malicious lie. A marketing lie. A lie the way a roadside attraction is a lie, where the billboard promises the world’s largest ball of twine and what you get is a regular ball of twine and a man in a folding chair who wants four dollars. Somebody looked at a pile of stolen passwords, remembered Heartbleed, and decided the rhyme was good enough. Heartbleed bled. This thing did not bleed. This thing got brute forced in a garage somewhere by forty-eight graphics cards screaming into the night, and that is a different kind of horror entirely, the kind that does not need a logo.

They found the body. They found the murder weapon. They found the killer’s workshop with the tools still laid out on the bench. They cannot find the door he came in through. That is where we are. That is the whole story. The rest is just me, with my stupid fruit drink, trying not to look directly at it.

What they actually found

A researcher named Volodymyr Diachenko goes poking around the internet, the way certain people do, and he finds a server sitting out in the open. No lock on it. Just hanging there. And inside this server is a database of usernames and email addresses and passwords in plaintext, which is to say not even scrambled, just sitting there in the clear like cash on a dashboard, for Fortinet VPN accounts belonging to organizations in a hundred and ninety-four countries. A hundred and ninety-four. There are not that many countries that matter and there are barely that many countries at all. This thing touched all of them.

Then Kevin Beaumont gets a look at the wider set through a firm called Hudson Rock, and Beaumont is not a man who scares easily and not a man who exaggerates for sport, and he does the one thing that turns a scary spreadsheet into a four alarm fire. He tries some of the logins. And they work. The administrator passwords are real. The devices are still online. Still reachable. Still sitting at the edge of somebody’s network with the front door unlocked and the keys already photographed.

And then a company called SOCRadar finds the other end of it. They find the operators’ own infrastructure. The scripts. The credential testing rigs. The logs. A victim database sorted by country and by industry and, and this is the detail that should make the hair stand up on your arms, by revenue. Sorted by how much money you make. Like a catalog. Like a menu. Somebody built a menu of seventy-five thousand networks and arranged it so the rich entrees were easy to find.

The number that will not hold still

Here is where I want to be honest with you in a way the headlines are not, because the number is doing a magic trick and I refuse to be the magician’s assistant. You will read seventy-five thousand devices. You will also read seventy-three thousand nine hundred and thirty-two. You will also read eighty-six thousand six hundred and forty-four. Arctic Wolf throws up its hands and says somewhere between thirty thousand and seventy-five thousand, which is the analytic equivalent of a shrug wearing a tie.

The truth, the only number anybody actually stood behind and verified with their own hands, is thirty thousand seven hundred and ninety-one. That is how many credentials SOCRadar tested and confirmed were live. Everything above that is estimate stacked on estimate, and the people doing the estimating will tell you themselves they cannot independently confirm the totals. So when somebody waves seventy-five thousand at you, nod politely and remember the floor is thirty thousand and the floor is the part that is real. The rest is the man in the folding chair telling you the twine is bigger than it looks.

And it was not just firewalls. The same crew, the same automated machine, threw something like two billion login attempts at a hundred and sixty thousand Microsoft database servers on the side. So this was never a Fortinet thing. This was a credential vacuum cleaner pointed at the entire internet, and Fortinet just happened to be the room with the most stuff in it.

The door derived from the doorknob

Now we get to the part that is genuinely, beautifully, stupidly broken, and I mean that with real affection because it is the kind of mistake only smart people make. Fortinet encrypts its configuration files. Good. Sensible. The serial number, here is the funny part, the serial number you need to derive the decryption key is printed right there on the login screen of the device. The lock is strong. The key is taped to the door. You read the serial off the front of the box, you derive the key, you open the config, and now you are holding everything the device knows.

And what the device knows, on a lot of these boxes, were passwords stored with old SHA-256 hashing, which is fast. Fast is wonderful when you are checking whether a file got corrupted. Fast is a catastrophe when you are storing a password, because fast is exactly the thing an offline cracker prays for at night. Fortinet figured this out and switched to PBKDF2, which is slow on purpose, slow the way a good vault door is heavy on purpose. Smart fix. Real fix.

Except the fix had a hole you could drive a boat through. When you upgraded a device, the old fast hashes stayed old and fast until every administrator logged back in. And administrators, being human, do not all log back in. Half of them set the thing up in 2019 and never touched it again. So the new vault door got installed and the old hollow door stayed standing right next to it, and the crackers walked through the old one. To make it worse, even after you do update a password, the old SHA-256 hash gets kept around in a hidden setting for backward compatibility. The vulnerability does not leave. It just moves to the basement and waits.

Beaumont’s read is that the cracking ran on a cluster of graphics cards, reported as either forty-five or forty-eight of them, nobody can quite agree, glued together with an open source tool called Hashtopolis. And I want to flag that disagreement instead of papering over it, because it tells you something. We cannot pin down whether it was forty-five cards or forty-eight cards in the rig. We have counted the killer’s bullets and we are off by three. That is how much fog is sitting on top of this thing. The big shape is clear and every small fact is smeared.

The question at the bottom of the well

So how did they get the config files in the first place. That is the question. That is the whole question. And the answer, from every single party that looked at this, is a unanimous and slightly embarrassed we do not know.

There are three theories and they cannot all be right and they might none of them be right. The first is a known vulnerability, a FortiCloud single sign-on bypass with a CVSS score of 9.4, a number that in this business means call your family. The ugly thing about that one is it worked on devices that were fully patched against the previous round of bypasses. You did everything correctly and you still got robbed. But that feature is off by default and the count of exposed devices running it is too small to explain seventy-five thousand victims. The math does not close.

The second theory is the one that wakes me up. Beaumont floats the idea that there is an unknown vulnerability. A zero-day. A door nobody has found yet, that explains how brand new fully patched devices ended up in the pile. There is no evidence for it except the shape of the hole. It is inference from a silhouette. It is the cold spot in the room that you cannot explain so you stop talking about it and turn on more lights. No such flaw has been confirmed. That is not comforting. The absence of a found door does not mean there is no door. It means nobody has found it yet, and somebody else clearly did.

The third theory, and the most boring and therefore probably the most correct, is that there is no magic at all. Just recycled passwords from old breaches, fed into the machine, working over and over because organizations get robbed and then do not change the locks. SOCRadar leans here. Fortinet leans here, although Fortinet has an obvious interest in this being old news that already happened to somebody else a long time ago. This theory is clean and it explains the database servers too. The only problem is it does not explain the internal email addresses and config details that only come from inside the box, which a password guess could never give you.

So the honest answer, the one I will actually put my name on, is that it is probably all three at once. Some doors known. Some doors unknown. Some keys just stolen years ago and never changed. A convergence. And I hate writing that because convergence is what you say when you do not know, dressed up to sound like you do. I am telling you it is a convergence and I am also telling you that calling it a convergence is partly just the sound a person makes when the evidence runs out. Hold it loosely. It will probably change next week.

Why the password is not the point

Everybody fixates on the credentials and the credentials are not the point. A firewall is not a thing you log into and look around and leave. A firewall sits at the boundary of the network. It is the gate. Get an administrator login to the gate and you do not have a password, you have the keys to the whole compound. You can change the security settings. You can build yourself a backdoor account that looks like it belongs there. You can stand at the edge and watch everything that passes and pick off more credentials and feed those back into the machine, which is exactly what these people built, a thing that eats networks and uses the energy to find more networks. A self-feeding fire.

And the documented next move is the one that turns a bad day into a catastrophe. They pivot off the firewall into the internal directory. Into Active Directory, the thing that decides who is allowed to be who inside your walls. A perimeter break becomes a domain break. The gate becomes the throne room. And it is worst for exactly the organizations that did the lazy thing, the flat network, the same admin password used out front and inside, the management interface hanging out on the open internet where God and everybody can see it. Beaumont says most of the affected boxes had that management interface exposed. Most of them. The barn door was open and we are surprised about the horse.

The part with the classified documents

There is a claim in here that I have to handle carefully, because it is the kind of claim that is either nothing or everything and right now we cannot tell which. Diachenko reported that at least four organizations were fully compromised, including a Turkish NATO defense contractor, and that classified defense documents were allegedly pulled out. SOCRadar said it found credentials for what looked like a defense-industry VPN endpoint.

I am going to say the unsexy thing. This is single sourced. This rests on the researchers who found it and nobody else has confirmed it. So I am writing it down as a claim and not as a fact, and you should read it the same way, with one eyebrow up. Because if it is true, this stops being a big crime and starts being a question about espionage, about who really runs this thing and what they actually wanted, and the loose attribution to a Russian-speaking criminal crew starts to feel like the cover story rather than the answer. But I do not know that. I am telling you what I would watch, not what I have seen. The difference between those two things is the entire job.

This has happened before. It will happen again.

None of this is new, and that is the most depressing sentence in the piece. In January 2025 a crew calling itself Belsen Group dumped configs and credentials for fifteen thousand FortiGates for free, and it turned out that data had been harvested back in 2022 off an old vulnerability and just sat in a drawer for years. Fortinet correctly pointed out it was stale. Censys checked and found that more than half those boxes were still online anyway, still answering, years later, with the locks never changed. Go back further to 2021 and somebody dumped VPN credentials for nearly half a million accounts off a flaw with a patch already available. The patch existed. Nobody applied it.

That is the pattern and it does not change. A known hole. A patch nobody installs. A long tail of devices that get set up once and then orphaned. And credentials that hold their value for years because the one thing organizations will not do, the cheap free thing, the thing that takes an afternoon, is change the password after they have been robbed. FortiBleed is not a new disease. It is the same disease with a new poster.

What to actually do, since I owe you that

I am not going to leave you in the dark with the cold spot, because that is cruel and because the fix is not complicated even if it is not easy. If you run one of these boxes, rotate every administrator and VPN credential right now, today, ahead of the patch cycle, because a strong password is meaningless once the actual password is sitting in plaintext on some stranger’s server. Strength does not matter when they already have the answer. Only changing it matters.

Pull the management interface off the open internet. That single move kills most of the attack surface and most of you never needed it exposed in the first place. Turn on multifactor everywhere so a stolen password by itself is a key that no longer fits. Upgrade the firmware and then, this is the part everybody skips, make every administrator actually log in afterward so the old fast hashes finally die. The fix does not take hold until they log in. And go check your own domain against the free lookup tools Hudson Rock and SOCRadar put out, and if you show up in there, do not treat it as a maybe. Treat it as a yes.

The window is the thing. SOCRadar said the dataset had not hit the criminal markets for sale yet when they wrote it up. Yet. That word is doing a lot of work. There is a closing gap between now and the moment seventy-five thousand networks get auctioned off to every two-bit operator with a wallet, and the only people who get to walk through that gap clean are the ones who move in the next few days instead of the next few weeks.

The thing I keep coming back to

I keep coming back to the serial number on the door. The key derived from a thing printed on the front of the box. Somebody at Fortinet, some genuinely smart engineer years ago, decided that was clever, decided it was elegant, that the device could derive its own key from its own identity and you would never have to manage a separate secret. And it was clever. That is what nobody tells you about disasters. They are almost never built out of stupidity. They are built out of cleverness that ran a few years past its expiration date, out of reasonable decisions made by competent people that curdled in the dark while everybody looked away.

Seventy-five thousand gates, or thirty thousand confirmed, depending on how brave you feel. A rack of graphics cards we cannot even count correctly. A door we cannot find. And a menu of the world’s networks sorted by how much money they have, sitting on a server with no lock, waiting for the next person who knows where to look. The rain reached the beach a while ago. The drink is gone, the rum was a rumor anyway, and Santa in his board shorts is still sitting in the chair not looking at the ocean, because somewhere out past the gray water somebody already has the keys and is deciding, very calmly, which lock to try first. The wind died and the boat is just sitting here and the only sound is my own pulse.

Sam Liles, PhD, writes at sveoti.net on security, the sea, and whatever else will not leave him alone. The underlying threat reporting behind this piece draws on open source analysis from Diachenko, Beaumont, Hudson Rock, SOCRadar, Arctic Wolf, CISA, and Fortinet.

EOTISEC-2026-044_FortiBleed Download