The firewall is the one box everyone trusts. It's the thing you point to when a client asks "are we secure?" So there's a particular kind of dread in the story that's been unfolding this month, because the campaign researchers named FortiBleed turned that trusted box into the quietest wiretap imaginable — and then handed the results to ransomware crews.
What happened
Starting around February and uncovered in mid-June, attackers went after Fortinet's ubiquitous FortiGate firewalls at scale. The numbers are grim: roughly 430,000 firewalls in scope across more than 150 countries, an estimated 110 million credentials harvested.
The mechanism is the nasty part. Rather than smash-and-grab, they exploited CVE-2026-35616 (CVSS 9.1) in FortiClient EMS to gain admin access, then dropped a custom Go packet sniffer on thousands of devices. That sniffer sat inline and passively read the traffic passing through the firewall, plucking out cleartext credentials and password hashes as employees logged into VPNs and internal systems. No malware on your laptops. No phishing email to click. Just your own perimeter device, reading your logins and mailing them out.
Then, in early July, SOCRadar's researchers connected the dots everyone feared: FortiBleed isn't a standalone data grab — it's an on-ramp to ransomware. They found a single operator logged into the negotiation panels of both the INC Ransom and Lynx groups, using infrastructure that traces back to FortiBleed, with victim lists that overlap. Admin access was confirmed on ~409 targets, full domain-admin compromise on ~354, and at least 12 ransomware deployments have already been tied to the access, with hundreds of endpoints encrypted.
CVE-2026-35616 is now in CISA's Known Exploited Vulnerabilities catalog. That's the government's way of saying: this is being used against real organizations right now, patch it on a deadline.
The device you bought to keep attackers out spent five months reading your credentials and mailing them to the people who'd later encrypt your network. That's not a firewall failure. It's a reminder of what a firewall actually is: the single most privileged box on your network, sitting on the open internet.
Why this one matters even if you're not on Fortinet
Two reasons.
First, edge devices are the front line of ransomware now. Firewalls, VPN concentrators, email gateways — the appliances that live at the perimeter and terminate untrusted traffic — have become the preferred way in. They're internet-facing by definition, they run vendor firmware you can't fully inspect, they hold the keys to everything behind them, and they're chronically under-patched because "if it's working, don't touch it." FortiBleed is this quarter's example; there will be another next quarter with a different logo on it.
First-and-a-half: passive credential theft is nearly invisible. There's no ransom note, no locked screen, no obvious breach — until months later when it detonates. If your entire detection strategy assumes an attacker will trip an alarm, a campaign like this walks right past it.
Second, the credential is the currency. All of that firewall-reading exists to harvest logins, because a valid credential is quieter and more durable than any exploit. Which means the blast radius of FortiBleed isn't "we'll patch the firewall." It's "every password that crossed that firewall should be considered compromised."
What I'd actually do this week
If you run Fortinet at the edge, treat this as an active incident, not a maintenance ticket:
- Patch now, on the KEV clock. Update FortiClient EMS and FortiOS to the fixed versions immediately. It's in CISA's KEV catalog for a reason — this is being exploited today.
- Assume the credentials leaked and rotate them. Everything that authenticated across that firewall: VPN accounts, admin passwords, service accounts, pre-shared keys, API tokens. Force re-authentication and invalidate existing sessions. Rotating after you patch, not before, so you're not handing fresh secrets to a still-present sniffer.
- Hunt — don't assume you're clean. Passive theft leaves faint traces. Pull the vendor IOCs (SOCRadar and Orca have published them), look for the sniffer, unexpected admin or backdoor accounts, and config changes. Then look inland: unusual domain-controller logons and new domain-admin activity are the tell that access already moved past the edge.
- Get management off the public internet. No admin/GUI interface exposed to the world. Restrict management to a VPN or a hard IP allowlist. This single change removes most of the attack surface for the next one of these.
- Phishing-resistant MFA on VPN and admin. Stolen passwords are far less useful when a hardware-key or passkey second factor stands between them and access.
- Treat edge appliances like crown jewels. They deserve the same patch cadence, monitoring, and end-of-life discipline you give a domain controller — because in an attacker's eyes, that's exactly what they are.
The bottom line
FortiBleed is a clean, brutal illustration of a shift that's already happened: the perimeter device is no longer just your defense, it's a top-tier target and a single point of catastrophic failure. Whatever brand of firewall or VPN sits at your edge, it is running software, it is on the internet, and it holds the keys.
Patch it like your domain depends on it. Rotate the credentials that touched it. And stop assuming the box that's supposed to keep attackers out couldn't be the thing that quietly lets them in — because for 430,000 organizations, it just was.
- ransomware
- Fortinet
- edge devices
- credential theft
- incident response



