On 10 July 2026, the cyber-intelligence firm S-RM confirmed what many UK security teams had feared since the middle of June: credentials belonging to UK government and Foreign Office email accounts are now circulating on the dark web, harvested through a campaign that has compromised 73,932 Fortinet FortiGate firewalls across 194 countries. The campaign — tracked publicly as FortiBleed — is not a theoretical disclosure or a proof-of-concept. It is a working, monetised intrusion operation in which a Russian-speaking threat group cracked more than 1.16 billion credential attempts against FortiGate targets, exported firewall configuration files offline to avoid detection, and then listed functioning administrator and VPN credentials for sale on a criminal forum for as much as £44,000 per access package.
For UK SMEs this is not a story about distant nation-state espionage. It is a supply-chain problem with a name on the door. Any business that holds a public-sector contract, supplies a regulated sector, or simply runs a Fortinet device on its perimeter is now exposed to the same follow-on intrusion risk that has reached Whitehall. The perimeter firewall was supposed to be the thing that kept attackers out; in this campaign it became the credential store that let them in. This briefing sets out exactly what was compromised, how the attack worked, what the confirmed UK impact means for the organisations sitting downstream in government and NHS supply chains, and why the response FortiBleed demands — credential rotation, MFA enforcement, management-interface hardening and a genuine governance review — is precisely the kind of strategic IT oversight a Virtual CIO exists to provide. The deadline for that response is not next quarter. It is today.
What FortiBleed actually is
FortiBleed is the name given to a large-scale credential-harvesting campaign directed at Fortinet FortiGate firewalls — the security appliances that sit at the edge of tens of thousands of corporate and government networks, filtering traffic and terminating remote-access VPN connections. The scale is what makes it exceptional. Rather than targeting one organisation, the operators assembled a dataset of 73,932 distinct FortiGate management URLs distributed across 194 countries, and set about extracting usable credentials from as many of them as possible. Independent researcher Volodymyr Diachenko first attributed the activity to a Russian-speaking threat group on 13 June 2026, and the well-known security researcher Kevin Beaumont subsequently confirmed that a sample of the leaked credentials were authentic — not recycled from old breaches, but live working access.
The dataset is not confined to obscure targets. It spans government, telecommunications, financial services, healthcare, manufacturing and critical infrastructure organisations. The most alarming individual case reported so far involves a Turkish NATO defence contractor whose classified documents were exfiltrated through the compromised perimeter. Closer to home, S-RM’s 10 July confirmation that UK government and Foreign Office email accounts appear in the harvested credential set moves FortiBleed from an international headline to a direct UK national-security concern — and, by extension, a concern for every organisation that touches those supply chains.
What sets FortiBleed apart from a routine breach disclosure is that the exposure did not close when it became public. Many of the affected devices remained online and reachable after disclosure, meaning that credentials cracked from their exported configurations may still grant access unless the owning organisation has actively rotated them. A patch alone does not solve this: if an attacker has already extracted your firewall’s configuration and cracked the stored password hashes offline, updating the firmware does nothing to invalidate the credentials they already hold. Only rotation does.
The single most dangerous assumption a UK SME can make about FortiBleed is “we’re not a government department, so this isn’t about us.” The confirmed compromise of UK government and Foreign Office accounts means attackers now hold a foothold and a target list. The natural next step in an operation like this is lateral movement through the supply chain — using a trusted supplier’s access, credentials or email relationship to reach the harder target behind it. If your business supplies, invoices, integrates with or holds data on behalf of a government body, an NHS trust or a regulated firm, you are a plausible stepping stone. The attackers have already deployed Active Directory enumeration scripts post-access and used log-clearing markers to cover their tracks, which is the behaviour of a group intending to move deeper, not smash and grab. The exposure that matters to you is not whether your name is in the dataset today; it is whether a compromised partner’s credentials open a door into your environment tomorrow.
How the FortiBleed campaign unfolded
The chronology matters, because it shows a deliberate, well-resourced operation that moved from reconnaissance to monetisation over a matter of weeks — and because it explains why a purely reactive response is already behind the curve.
The technical method — and why patching alone will not save you
Understanding how FortiBleed extracted credentials is essential to understanding why the correct response is rotation rather than reassurance. The operators combined brute-force login attempts with interception of SSL VPN authentication hashes, driving an extraordinary 1.16 billion credential attempts against FortiGate targets. Alongside this they ran roughly 2.1 billion MSSQL credential attempts, indicating an operation reaching well beyond the firewall itself into the database services behind it. The chart below sets out an indicative view of the relative intensity of the attack components reported in the campaign. These are illustrative weightings drawn from the reported shape of the operation, not vendor-issued measurements.
The critical technical detail for defenders is where the cracking happened. Rather than hammering live devices with password guesses — noisy, slow and easy to detect — the operators exported FortiGate configuration files and cracked the stored password hashes offline, on a dedicated 45-GPU Hashtopolis cluster. Offline cracking is invisible to the target: there are no failed-login alerts, no rate-limit trips, no unusual traffic on the firewall itself, because the work is happening on the attacker’s own hardware against a stolen copy of your configuration. By the time credentials are recovered, the attacker simply logs in with valid details and looks, to your logs, like a legitimate administrator.
This is also where firmware version becomes decisive. Fortinet enforces PBKDF2 hash storage from FortiOS 7.2.11 onwards, which dramatically increases the computational cost of offline cracking. Older FortiOS versions store password hashes in a form that a 45-GPU cluster can chew through far more quickly. If your device was running a pre-7.2.11 build when its configuration was exported, you should assume the stored credentials are recoverable and treat them as compromised — regardless of whether you have since updated the firmware. Updating protects future hashes; it does nothing for hashes an attacker has already exported and cracked.
How much of the exposed estate is at real risk
Not every one of the 73,932 devices is equally exposed — but the proportion that is genuinely at risk is high, because the campaign specifically favoured devices with reachable management or VPN interfaces and older firmware. The figure below is an illustrative planning estimate of the share of a typical exposed FortiGate estate that should be treated as high-risk pending an active credential rotation. It is intended to frame the scale of the response, not to report a measured statistic.
The reason the at-risk proportion is so high is that the two conditions that make a device exploitable — an internet-reachable management or SSL VPN interface, and firmware old enough to store crackable hashes — are extremely common across small and mid-sized deployments. A perimeter firewall installed three or four years ago and left on a stable, un-updated build is precisely the profile the campaign feasted on. For a UK SME, the honest starting assumption should be that if you cannot confirm your firmware version and rotation history, your device belongs in the high-risk bucket until proven otherwise.
Where UK SMEs are most exposed on perimeter and credential governance
FortiBleed is a stress test of credential and perimeter governance, and most mid-market businesses fail it in predictable places. The grid below sets out where exposure typically concentrates for a UK SME running a Fortinet or comparable perimeter device — the gaps this campaign should prompt every board to close, whether or not the business appears in the dataset.
The pattern is consistent. The perimeter firewall is usually installed once, configured competently and then largely forgotten — a set-and-leave device that quietly ages while the business assumes it is doing its job. That assumption is exactly what FortiBleed exploited. A configuration file that has never been treated as a secret, an administrator password that has not changed in years, a management interface exposed for convenience, and no one whose job it is to read the CISA advisory and act on it: that combination turns a security appliance into a liability. Closing these gaps is not a heroic project; it is disciplined governance applied to a device that has never received it.
What a proportionate FortiBleed response costs by business size
The response is not one-size-fits-all. A ten-person firm with a single perimeter device and a fifty-strong organisation with multiple sites and supplier integrations face the same underlying credential risk but carry very different scope and resource. The table below sets out an indicative view of what a proportionate FortiBleed response — audit, rotation, MFA enforcement, interface hardening and governance review — involves across UK business-size bands. Figures are illustrative planning ranges, not quotes.
| Business size | Typical perimeter footprint | Priority response actions | Indicative response investment |
|---|---|---|---|
| 1–10 staff | Single FortiGate or comparable firewall, SSL VPN for remote staff | Rotate all admin and VPN credentials; enforce MFA; restrict management interface; confirm firmware | £800–£2,500 |
| 10–50 staff | Firewall plus VPN, some supplier and remote-access integrations | Full credential rotation; MFA everywhere; interface lockdown; supplier-access audit; log review for AD enumeration | £2,500–£8,000 |
| 50–200 staff | Multi-site perimeter, database services, public-sector or regulated supply-chain exposure | Estate-wide rotation and hardening; compromise assessment; supply-chain notification; governance review; MFA and privileged-access overhaul | £8,000–£25,000 |
| 200+ staff | Complex network estate, critical customer-facing systems, contractual security obligations | Formal incident response; forensic assessment; board-level resilience programme; continuous perimeter monitoring; third-party assurance | £25,000+ |
The right figure for any given business depends on the sensitivity of its data, the contracts it holds and the depth of its supplier relationships — an organisation in a government or NHS supply chain carries obligations that a purely private-sector firm does not. But the direction of travel is the same across every band: the cost of a proportionate response is a fraction of the cost of a follow-on intrusion, and it buys back the assumption — currently unfounded for most SMEs — that the perimeter is actually secure.
Reactive perimeter posture versus governed perimeter posture
FortiBleed exposes the gap between treating a firewall as a box you install and forget, and treating perimeter security as a governed, continuously managed discipline. The comparison below sets out the two postures.
Reactive posture
How many SMEs run their perimeter today
- Firewall installed once, then left on an ageing firmware build
- Admin and VPN credentials unchanged for years
- Management interface exposed to the internet for convenience
- No MFA on administration or remote-access login
- Configuration backups stored casually, not as secrets
- CISA and NCSC advisories unread or acted on too late
- No visibility of which suppliers can reach the network
Governed posture
Where Cloudswitched takes you
- Firmware tracked, patched and verified against known campaigns
- Credentials rotated on a schedule and after every disclosure
- Management interface restricted to trusted networks only
- MFA enforced on all administrative and VPN access
- Configuration files treated and protected as sensitive secrets
- Advisories monitored and acted on within a defined SLA
- Supplier and third-party access mapped, reviewed and revocable
Moving from the left column to the right is not a single purchase; it is a shift in how the business governs the devices its security depends on. It rarely means ripping out the firewall — Fortinet devices are capable and widely deployed for good reason, and the fix for FortiBleed is disciplined operation, not vendor abandonment. It means treating the perimeter as what it is: a high-value asset that holds the keys to the network, and therefore deserves the same governance, ownership and vigilance as any other critical system.
You do not need a forensic team to start. The single most valuable exercise a UK SME can run this week is a perimeter credential and exposure review: identify every firewall and VPN concentrator you operate, record the exact firmware version each is running, confirm whether its management interface is reachable from the internet, and check when its administrator and VPN credentials were last rotated. If any device is on a pre-7.2.11 FortiOS build, has an exposed interface, or has credentials older than the June disclosure, rotate every credential on it now, enforce MFA, and restrict the interface to trusted networks. Then list every supplier and third party that holds access to your environment, because the follow-on risk from FortiBleed travels through relationships, not just devices. Most businesses cannot answer these questions today, and discovering that is the entire point — it converts an invisible exposure into a managed one.
At-a-glance: the FortiBleed campaign
| Fact | Detail |
|---|---|
| What happened | A credential-harvesting campaign compromised Fortinet FortiGate firewalls at scale and monetised the access |
| Devices compromised | 73,932 FortiGate firewall URLs across 194 countries |
| Attribution | Russian-speaking threat group; attributed by researcher Volodymyr Diachenko on 13 June 2026 |
| Credential attempts | ~1.16 billion against FortiGate targets; ~2.1 billion additional MSSQL attempts |
| Cracking method | Configuration files exported and cracked offline on a 45-GPU Hashtopolis cluster |
| Monetisation | Admin and SSL VPN access sold on Exploit Forum for up to £44,000 per package |
| UK impact | UK government and Foreign Office email accounts confirmed in the dataset by S-RM on 10 July 2026 |
| Notable case | A Turkish NATO defence contractor had classified documents exfiltrated |
| Sectors affected | Government, telecoms, financial services, healthcare, manufacturing, critical infrastructure |
| Post-access activity | Active Directory enumeration scripts deployed; log-clearing markers found on attacker infrastructure |
| Official response | CISA alert published 18 June 2026, updated 22 June 2026, urging device hardening |
| Firmware factor | PBKDF2 hash storage enforced from FortiOS 7.2.11+; older hashes crackable offline |
| The core fix | Credential rotation, MFA enforcement and management-interface restriction — not firmware patching alone |
How this connects to the wider 2026 threat picture
FortiBleed does not stand alone. It is one thread in a year of UK developments all pointing the same way: cyber resilience has moved from an IT housekeeping task to a board-level, supply-chain-wide obligation, and the weakest link is increasingly the credential rather than the code. The concentration of cloud dependency now under direct regulatory oversight, the scale of breaches across ordinary UK businesses, and the arrival of AI-driven attack tooling all form the backdrop against which a compromised perimeter firewall becomes so consequential.
The systemic-dependency dimension — the recognition that the platforms underpinning UK business are now national infrastructure — is set out in our coverage of the Critical Third Party designation of Microsoft, Google, AWS and Oracle, the strategic counterpart to the operational exposure FortiBleed represents. The sheer breadth of UK exposure is captured in our reporting on the Cyber Security Breaches Survey and the 612,000 UK businesses hit, while the strategic-investment response that FortiBleed should prompt is examined in our look at Barclays’ Q1 2026 cyber investment and the Virtual CIO case. And the changing nature of the adversary — automated, AI-assisted and faster than manual defence — is the subject of our analysis of JadePuffer, the first agentic AI ransomware. Together these establish the same message FortiBleed makes concrete: the perimeter is only as strong as the governance behind it.
FortiBleed is a governance failure before it is a firewall failure
Rotating credentials, enforcing MFA, hardening management interfaces and auditing supplier access is strategic IT oversight, not a one-off task — and it is precisely what a Cloudswitched Virtual CIO provides. We turn a scramble into a governed programme, so your perimeter is a managed asset rather than an invisible liability.
Talk to us about Virtual CIO ServicesFrequently asked questions
The perimeter you forgot about is the one they are selling access to
FortiBleed turned neglected firewalls into products on a criminal marketplace. A Cloudswitched Virtual CIO brings the strategic oversight that stops your perimeter becoming one — credential rotation, MFA, interface hardening and supplier-access governance, owned and evidenced — so your business is a defended supplier, not an open door.
Talk to us about Virtual CIO Services


