FortiBleed Fortinet credential exposure: what Hawaii businesses need to do (2026)

FortiBleed is a credential exposure campaign that, as of June 19, 2026, exposed administrator and VPN credentials for approximately 86,644 internet-facing Fortinet FortiGate devices across 194 countries — roughly half of all internet-reachable FortiGate firewalls. CISA issued a formal advisory on June 18, 2026. Any Hawaii business running a FortiGate with internet-facing management or SSL VPN should terminate sessions, rotate every administrator and VPN credential, enforce phishing-resistant MFA, remove management from the public internet, and upgrade FortiOS this week.

What is FortiBleed?

FortiBleed is the name attached to a multi-operator credential harvesting and validation campaign against internet-facing Fortinet appliances. Fortinet's June 19, 2026 PSIRT analysis states the activity involves credential reuse from previous incidents (FG-IR-26-060 and FG-IR-25-647) combined with brute force against devices with weak password hygiene and no MFA. Fortinet explicitly says this is not a new Fortinet vulnerability. There is no patch that closes the underlying exposure because the data has already left.

CISA's June 18, 2026 advisory directed organizations to terminate sessions, rotate credentials, enforce MFA, and remove FortiGate management interfaces from the public internet. The Cloud Security Alliance and Bitdefender both confirmed active exploitation of the harvested credentials in the days that followed, and the scale (about half of all internet-reachable FortiGates) makes this materially different from a typical advisory.

Why does FortiBleed matter for a Hawaii business?

FortiGate is one of the most common firewall and SSL VPN platforms among Hawaii SMBs, MSPs serving Hawaii, hospitality groups, healthcare practices, and government contractors. Many of those devices have been running for years with the same administrator account name, a single password rotation cycle, no MFA on administrator login, no MFA on SSL VPN users, and a management interface still reachable from the open internet because that was how it was deployed in 2019. Every one of those conditions is exactly what FortiBleed exploits.

The downstream risk is not just firewall compromise. Once an attacker authenticates to a FortiGate as an administrator, they can create new VPN users, change logging configuration, pivot into the internal network, and harvest domain credentials. Several confirmed Hawaii-shape environments (small-to-mid hospitality and professional services firms on the mainland publicly reported) have lost domain controllers within hours of FortiGate administrator compromise. Treat this as a peer to the playbook we wrote for ransomware recovery in the first 72 hours.

What does a Hawaii business need to do this week?

Step 1 — Terminate sessions and rotate credentials immediately

Terminate every active administrator and SSL VPN session on every FortiGate. Reset every Fortinet administrator password, every local VPN user password, and every service account credential (RADIUS, LDAP, integration) the FortiGate touches. Do this before you patch — patching does not invalidate credentials that already left the building. Treat any credential on an internet-exposed FortiGate as compromised until proven otherwise.

Step 2 — Enforce phishing-resistant MFA on every administrator and VPN account

FortiBleed succeeds against accounts without MFA. Enforce phishing-resistant MFA (FIDO2 / certificate-based) on every FortiGate administrator account and every SSL VPN user. SMS and push-based MFA are no longer sufficient at the perimeter — adversary-in-the-middle proxies and push fatigue defeat them. Our writeup on Entra ID passkeys for phishing-resistant MFA covers the standard.

Step 3 — Remove the management interface from public internet exposure

This is the single highest-impact mitigation. The FortiGate web UI, SSH, and FortiCloud management surfaces should not be reachable from the open internet. Restrict to internal IP ranges, jump hosts, or out-of-band management network. If you absolutely must keep external administration, use trusted-host allowlists, local-in policies, and a separate management VPN.

Step 4 — Upgrade FortiOS to PBKDF2-capable builds

Older FortiOS stored passwords as salted SHA-256, which is the format the FortiBleed dataset surfaces. Upgrade to FortiOS 7.2.11, 7.4.8, 7.6.1, or later so new authentications use PBKDF2. Each administrator must log in after the upgrade to replace their legacy hash; the upgrade alone does not replace existing hashes. On 7.2.x and 7.4.x, enable login-lockout-upon-weaker-encryption to fully purge SHA-256 hashes after every administrator has completed a post-upgrade login.

Step 5 — Patch the related KEV CVEs while you are in there

FortiBleed itself is not a CVE, but the following actively exploited Fortinet CVEs are in CISA's Known Exploited Vulnerabilities catalog and should be patched at the same time: CVE-2026-24858 (FortiCloud SSO authentication bypass, CVSS 9.4, FG-IR-26-060), CVE-2026-35616 (FortiClient EMS improper access control), and the December 2025 pair CVE-2025-59718 and CVE-2025-59719 (FortiCloud SSO signature verification, FG-IR-25-647). We cover the KEV patching standard for Hawaii SMBs in our KEV patching SLA writeup.

How do I tell if my Hawaii business was already affected?

Pull FortiGate administrator audit logs, SSL VPN session logs, and domain controller authentication logs and review for: new administrator accounts you do not recognize (names like forticloud, fortiuser, fortinet-support, or fortinet-tech-support are flagged in Fortinet's response guidance); administrator logins from unfamiliar IPs, geographies, or at unusual hours; configuration export events with an external destination IP; VPN authentication events showing impossible travel; and changes to logging configuration, authentication settings, or interface permissions outside of change control.

Public lookup tools like Hudson Rock's Fortinet checker can flag exposure on a specific organization, but absence of a match does not prove no compromise — these tools index a snapshot of the leaked dataset, not your actual log evidence. Treat them as a starting point and proceed with credential rotation and log review regardless.

What does FortiBleed mean for Hawaii cyber insurance and outside-counsel obligations?

Three downstream effects worth flagging now. First, your cyber insurance carrier will ask whether you have rotated credentials and enforced MFA on every Fortinet administrator and VPN account at renewal — this is now a default question. Failing the attestation triggers exclusions or sublimits, per our 12 cyber insurance controls writeup. Second, Hawaii businesses with outside-counsel or vendor obligations (HIPAA, GLBA, CMMC, SOC 2) may have notification duties even without confirmed exfiltration, depending on contract language. Third, the Hawaii Attorney General notification clock under HRS 487N starts when a breach involving personal information is confirmed, not when it is first suspected — keep evidence and a written timeline.

If you outsource your firewall to a Hawaii MSP, what should you ask them?

The five questions worth asking your MSP this week: (1) Have you rotated administrator credentials on every FortiGate you manage for us since the CISA advisory? (2) Is MFA enforced on every administrator and SSL VPN account? (3) Has our FortiGate management interface been removed from the public internet, and if not why? (4) What FortiOS version are we on, and when was the post-upgrade administrator login completed so PBKDF2 replaces our legacy hashes? (5) What does our log review show for the unfamiliar-account indicators above? An MSP that cannot answer all five in a day is the wrong fit — our questions to ask a Hawaii MSP guide expands on this.

What good looks like by Friday for a Hawaii business

By the end of the week, a Hawaii business with one or more FortiGate devices should have: every administrator and VPN credential rotated, phishing-resistant MFA enforced on every administrator and VPN account, the management interface removed from public internet exposure (or restricted to a documented allowlist), FortiOS upgraded to 7.2.11 / 7.4.8 / 7.6.1 or later with each administrator having logged in post-upgrade, the related KEV CVEs patched, a documented log review for the FortiBleed indicators, and a written record of the steps taken and the timeline for the next cyber insurance renewal and any vendor or client attestation request.

Frequently asked questions

What is FortiBleed and why does it matter for Hawaii businesses?

FortiBleed is a credential exposure campaign against internet-facing Fortinet FortiGate firewalls and SSL VPN gateways. As of June 19, 2026, confirmed credentials were harvested from roughly 86,644 devices in 194 countries, about half of all internet-reachable Fortinet firewalls. CISA issued a formal advisory on June 18, 2026. Any Hawaii business running a FortiGate or FortiOS SSL VPN with internet-facing management or weak password hygiene is in scope.

Is FortiBleed a new CVE that I can patch?

No. FortiBleed itself has no CVE assigned. Fortinet describes it as credential reuse from prior incidents (FG-IR-26-060 and FG-IR-25-647) plus brute-force activity against devices with weak passwords and no MFA. There is no patch that closes it. Related CISA KEV CVEs do apply, including CVE-2026-24858 (CVSS 9.4 FortiCloud SSO bypass) and CVE-2026-35616 (FortiClient EMS), and those should be patched.

What should a Hawaii business with a FortiGate do this week?

Five things, in order: terminate all administrator and SSL VPN sessions; rotate every Fortinet administrator and VPN credential immediately; enforce phishing-resistant MFA on every administrator and VPN account; remove the management interface from public internet exposure; and upgrade FortiOS to 7.2.11, 7.4.8, 7.6.1, or later so new logins use PBKDF2 instead of legacy SHA-256. Do not wait for the next maintenance window.

How do I tell if my Hawaii business is in scope for FortiBleed?

You are in scope if you operate a FortiGate with its management interface or SSL VPN endpoint reachable from the public internet, especially if administrator or VPN passwords were stored as legacy SHA-256 hashes (any device that has not yet upgraded to FortiOS 7.2.11, 7.4.8, or 7.6.1). Public lookup tools like Hudson Rock's Fortinet checker can flag potential exposure but should not replace credential rotation and log review.

What is CVE-2026-24858 and how does it relate to FortiBleed?

CVE-2026-24858 is a CISA KEV-listed FortiCloud SSO authentication bypass (CVSS 9.4, CWE-288) that allowed an attacker with any FortiCloud account and a registered device to log into other customers' devices when FortiCloud SSO was enabled. It was exploited in January 2026 against fully patched FortiOS devices to create rogue local administrator accounts. It is separate from FortiBleed but contributed to the prior-incident credential seeding.

Should a Hawaii business disable FortiCloud SSO?

Yes, on any FortiGate not yet patched against CVE-2026-24858 and FG-IR-25-647. On patched devices, re-enable only after a deliberate security review that accounts for the cross-tenant trust implications of federated administrative access. Most Hawaii businesses do not depend on FortiCloud SSO for daily operations and can leave it disabled until they harden their environment and confirm patched versions are deployed everywhere.

What logs should a Hawaii business review for FortiBleed compromise?

Pull FortiGate admin and VPN logs, plus domain controller logs, and look for new or unfamiliar administrator accounts (forticloud, fortiuser, fortinet-support, fortinet-tech-support), administrator logins from unfamiliar IPs or countries, configuration export events to external IPs, VPN sessions from impossible-travel locations, and changes to logging or authentication settings outside change control. The absence of these does not prove no compromise; compromised devices can have logging altered.