TL;DR: FortiBleed shows how attackers can exploit internet-facing FortiGate and FortiClient EMS exposure to harvest credentials at scale, gain admin access on 409 targets, and drive ransomware activity, according to Orca Security. The incident shows that patching alone is not enough when credential interception, standing privilege, and unmanaged admin accounts remain in place.
At a glance
What this is: FortiBleed is an active credential-harvesting campaign that abused Fortinet exposure to obtain admin access, deploy packet sniffers, and support ransomware operations.
Why it matters: It matters because Fortinet-managed infrastructure often sits at the intersection of NHI, remote access, and administrative trust, where one failure can expose VPN, directory, and infrastructure credentials at scale.
By the numbers:
- The campaign achieved admin-level access on 409 targets, with 354 suffering full domain compromise.
👉 Read Orca Security's analysis of FortiBleed and Fortinet credential harvesting
Context
FortiBleed is a credential-harvesting campaign that targeted internet-facing FortiGate firewalls and FortiClient EMS deployments to turn remote access infrastructure into a credential collection point. The primary issue is not just exploitation of a vulnerability, but the collapse of trust around administrative access, VPN paths, and the credentials that protect them.
For IAM and NHI teams, the significance is clear: when network appliances and management planes can passively intercept authentication traffic, rotation, MFA, and admin segmentation become incident-response controls, not background hygiene. The article also shows how exposed infrastructure can become a broker for broader compromise, especially where machine and human credentials share the same trust boundary.
Key questions
Q: What breaks when attackers can passively harvest credentials from remote-access infrastructure?
A: The trust model breaks because one management-plane compromise can expose many identities at once. VPN, directory, and administrative credentials may be collected without obvious alerts, then reused for lateral movement, privilege escalation, or ransomware access. Security teams should assume the exposed path is already part of the breach boundary once credential interception is possible.
Q: Why do internet-facing firewalls and access gateways increase identity risk?
A: They sit in the traffic path for authentication and administration, so a privileged compromise can expose secrets even when downstream systems are well protected. That makes the appliance part of the identity control plane, not just the network perimeter. Teams need to secure and monitor these devices as high-value identity infrastructure.
Q: How do security teams know whether credential rotation is enough after exposure?
A: Rotation is only enough if the exposed path is removed or tightly constrained first. If attackers still control the same management surface, new credentials can be harvested again. The stronger signal is whether management-plane reachability, admin accounts, and authentication flows are segmented and verified after remediation.
Q: Who is accountable when compromised remote-access infrastructure leads to ransomware?
A: Accountability usually spans IAM, network security, infrastructure operations, and incident response because the failure sits across access control, exposure management, and credential governance. The practical question is not who owns the box, but who owns the identity boundary it controls. That boundary has to be explicit before the next exposure event.
Technical breakdown
How FortiGate exposure turned into credential interception
FortiBleed relied on internet-facing FortiGate infrastructure to gain administrative footholds and then abuse native packet inspection capabilities. Once the attackers had access, they used FortiOS’s diagnose sniffer packet command to passively capture authentication traffic across multiple protocols. That matters because the attack did not need to break encryption in transit. It needed privileged placement inside the traffic path, where VPN, RADIUS, NTLM, and Kerberos flows could be observed and collected at scale.
Practical implication: treat management-plane exposure and admin access as credential-security risks, not just firewall risks.
Why FortiClient EMS improper access control amplified the breach
CVE-2026-35616 was an improper access control flaw in FortiClient EMS 7.4.5 and 7.4.6 that required no authentication. Attackers used it to modify remote access profiles, inject malicious PowerShell into VPN configuration scripts, and deploy infostealer payloads across managed endpoints. The technical lesson is that endpoint management systems become identity infrastructure once they can rewrite access paths, distribute scripts, and influence how credentials are handled on connected devices.
Practical implication: restrict who can reach endpoint management services and verify that configuration channels cannot alter authentication workflows.
How harvested credentials became ransomware-ready access
Credential theft in FortiBleed was not an isolated objective. The campaign produced admin access on hundreds of targets, and the access was then linked to ransomware operators and negotiation panels. That sequence shows a common NHI failure mode: a single compromised control plane can yield reusable VPN, directory, and administrative credentials that survive long enough to be monetised by follow-on operators. The result is not just initial access, but a transfer of identity trust into criminal hands.
Practical implication: assume that any credential observed on a compromised remote-access path must be treated as exposed and replaceable.
Threat narrative
Attacker objective: The objective was to convert harvested authentication material and admin access into scalable ransomware-ready intrusion across enterprise environments.
- Entry began with exploitation of internet-facing FortiGate and FortiClient EMS exposure, giving attackers a path into management and remote-access infrastructure.
- Escalation followed through administrative control and packet-sniffing abuse, which let the operators harvest VPN, RADIUS, NTLM, and Kerberos credentials at scale.
- Impact came when those credentials were reused for domain compromise and ransomware operations, turning stolen trust into widespread encryption and disruption.
Breaches seen in the wild
- Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
FortiBleed is a standing-access failure disguised as a perimeter breach. The campaign shows that once management-plane access is exposed, the attacker no longer needs to crack individual systems one by one. They inherit the trust relationships of the remote-access fabric itself, which is why FortiGate and EMS exposure has to be analysed as identity risk, not only network risk. Practitioners should treat administrative reach as a governed identity surface.
Credential interception at the appliance layer is a direct challenge to NHI governance. VPN, RADIUS, NTLM, and Kerberos credentials are not abstract secrets when they can be passively collected from traffic inspected by a privileged device. The failure mode here is credential reuse across remote access and infrastructure administration, which turns one compromised management node into many downstream identities. Security teams need to view appliance privileges as part of the NHI control plane.
FortiBleed shows why access revocation must be triggered by exposure, not just by account events. Once attackers have harvested credentials from FortiGate-managed infrastructure, waiting for a normal lifecycle event leaves the organisation exposed to reuse, lateral movement, and ransomware brokering. This is especially relevant where admin accounts, VPN credentials, and service credentials share the same operational boundary. Practitioners should recognise that the blast radius begins at capture, not at confirmed misuse.
Packet sniffing on trusted infrastructure is a named concept: identity interception at the control plane. The article demonstrates that privileged network and access appliances can become credential collectors when attackers gain administrative placement. That is a different failure mode from simple secret theft because the device itself becomes the interception mechanism. The implication is that trust in the appliance layer has to be narrowed, segmented, and continuously validated.
Ransomware ecosystems increasingly depend on NHI compromise before payload execution. FortiBleed’s link to downstream ransomware operations shows that initial access brokers are now turning credentials, not exploits, into the primary currency of compromise. That pattern makes exposure management, admin account hygiene, and MFA enforcement decisive controls. Practitioners should assume credential harvesting will be monetised quickly when remote-access infrastructure is reachable from the internet.
From our research:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities.
- That confidence gap reinforces why teams should pair 52 NHI Breaches Analysis with exposure management rather than treat credential events as isolated incidents.
What this signals
The operational lesson is that remote-access infrastructure now behaves like identity infrastructure, so exposure management and credential governance need to be evaluated together. When management planes can inspect authentication traffic, the line between network security and NHI control disappears, and remediation has to start with privileged reachability.
Identity interception at the control plane: once privileged devices can observe or rewrite authentication flows, conventional perimeter assumptions stop working. That means teams should align firewall, VPN, PAM, and NHI ownership around a single exposure model instead of separate tool silos.
The practical signal for practitioners is to stop measuring only patch latency. A more useful indicator is whether exposed management services, backdoor accounts, and credential paths can still be reached after the first remediation cycle, because that is where repeat compromise begins.
For practitioners
- Inventory all internet-facing Fortinet management paths Identify every FortiGate and FortiClient EMS instance that can be reached from untrusted networks, then confirm which ones can influence authentication, remote access, or admin workflows. Focus on management-plane reachability first, because that is where the credential-harvesting path begins.
- Rotate every credential that traverses FortiGate-managed infrastructure Replace VPN, RADIUS, NTLM, Kerberos, and administrative credentials associated with exposed Fortinet infrastructure, including shared service accounts and back-end access used by administrators. Treat any credential observed on the compromised path as exposed until proven otherwise.
- Restrict FortiClient EMS and administrative interfaces to trusted sources Limit port 8013 and all management interfaces to known administrative ranges, then verify that remote access profiles cannot be rewritten from broadly reachable networks. This reduces the ability of an attacker to use the management plane as a distribution channel for malicious configuration changes.
- Hunt for FortigateSniffer and backdoor account indicators Search for FortigateSniffer artefacts, the unauthorized adminin account, suspicious VPN configuration changes, and unusual outbound connections tied to the reported C2 infrastructure. Use these findings to determine whether credential interception or post-exploitation access has already occurred.
Key takeaways
- FortiBleed shows that credential harvesting can turn remote-access infrastructure into a mass identity compromise event.
- The campaign’s scale matters: hundreds of targets saw admin-level access and a large credential haul fed downstream ransomware activity.
- The limiting control is not patching alone, but reducing management-plane reach, rotating exposed credentials, and eliminating reusable admin trust.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Credential harvesting from exposed management paths maps to secret exposure and reuse risks. |
| NIST CSF 2.0 | PR.AC-4 | Admin access and remote-access trust need stricter least-privilege enforcement. |
| NIST Zero Trust (SP 800-207) | The campaign shows why network devices must not be treated as trusted by default. |
Segment management planes and require continuous verification before allowing administrative or authentication flow access.
Key terms
- Management Plane: The management plane is the administrative path used to configure, monitor, and control an infrastructure component. In identity terms, it is highly sensitive because access to it can expose or alter authentication, routing, logging, and credential-handling behaviour across the environment.
- Credential Interception: Credential interception is the capture of authentication material while it is in transit or being processed by a trusted system. In this breach pattern, the attacker does not need to steal each secret individually. Instead, privileged placement lets them collect multiple credentials from one control point.
- Standing Privilege: Standing privilege is persistent elevated access that remains available without just-in-time approval or narrow task boundaries. In a breach like FortiBleed, standing privilege on a management node becomes especially dangerous because it can be used to observe, alter, and reuse credentials across multiple identities.
- Remote Access Trust Boundary: A remote access trust boundary is the set of systems, credentials, and controls that determine who may connect to internal resources from outside the environment. When that boundary is weak, attackers can move from initial access to broader identity compromise through the very channels designed to enable work.
What's in the full article
Orca Security's full research covers the operational detail this post intentionally leaves for the source:
- The affected FortiGate and FortiClient EMS versions, plus the remediation sequence for upgrading and applying the hotfix
- The specific forensic indicators tied to FortigateSniffer, the adminin backdoor account, and the reported C2 infrastructure
- The attack telemetry behind the 110 million credential haul and the linked ransomware activity
- The asset exposure context that Orca used to prioritise remediation by internet reachability and criticality
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-07-02.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org