A dataset containing VPN credentials for 73,932 Fortinet FortiGate devices was made public on 17 June 2026 in what security researchers are calling FortiBleed. The data — including usernames, password hashes, plaintext passwords in some cases, IP addresses, serial numbers, and firmware versions — was collected during active exploitation of CVE-2022-40684 in late 2022 and early 2023. That it has surfaced now, nearly four years later, is not an anomaly. It is a pattern.
The Vulnerability and the Window
CVE-2022-40684 is a path traversal vulnerability in FortiOS, FortiProxy, and FortiSwitchManager that allows unauthenticated remote attackers to read and write configuration files through the management API. CVSS score: 9.8. Fortinet patched it in October 2022 and issued an urgent advisory warning of imminent exploitation. CISA added it to the Known Exploited Vulnerabilities catalog the same month.
The exploitation window was not brief. Researchers at Shadowserver and Bishop Fox tracked hundreds of thousands of vulnerable FortiGate devices still exposed on the internet in the weeks after patching. Many organisations patched the API access path but did not rotate credentials. In some cases, the management interface remained accessible from the public internet — a configuration that extended the attacker dwell window.
The FortiBleed dataset covers devices across 194 countries. Researchers estimate it represents approximately 50% of internet-reachable FortiGate deployments at the time of collection. The composition of the dataset — firmware versions, serial numbers, and per-device credentials at scale — is consistent with automated mass exploitation rather than targeted intrusion: actors scanning widely, extracting credentials from every vulnerable device reached, and archiving the results.
The Long-Tail Credential Model
The four-year gap between collection and publication reflects a well-documented monetisation pattern for mass-harvested credentials. Initial exploitation produces a dataset. The dataset has two value states: active (credentials still valid, enabling current access) and archive (credentials invalidated but useful for password pattern analysis, credential stuffing against reused passwords elsewhere, or darknet sale as bulk historical data).
Publishing or selling after a multi-year delay serves several purposes. Organisations that patched in 2022 typically treated patching as the remediation event. Credential rotation — particularly for VPN service accounts and management interface credentials — was often not performed or was logged without verification. Many of those 2022-era credentials may still be active in 2026 on devices that have seen no administrative attention in the intervening period. The attacker who held the dataset has simply waited for the remediation window to close in collective memory.
This pattern has appeared repeatedly: the 2021 Microsoft Exchange ProxyLogon exploitation produced credential caches that surfaced in criminal marketplaces 18 to 24 months later. The 2020 Pulse Secure VPN breach had a similar lifecycle. FortiBleed follows the same model at larger scale.
Threat Intelligence Implications
Attribution remains unconfirmed for the original exploitation. CVE-2022-40684 was exploited by multiple actors in late 2022, including suspected ransomware affiliates and intrusion sets consistent with Chinese state-sponsored activity. The structured, large-scale credential harvesting approach is consistent with both groups operating simultaneously during the exploitation window. The publication of FortiBleed does not itself indicate the current publisher conducted the original exploitation — datasets change hands.
The dataset functions as an initial access inventory. Valid credentials against an internet-facing FortiGate VPN enable remote access that appears as legitimate employee authentication. VPN logs show a connection; no exploit signature is generated; EDR on the endpoint only activates post-connection. For organisations whose 2022 FortiGate credentials remain unchanged, FortiBleed has converted what was previously a silent historic compromise into an active initial access risk.
Credential validation is likely already underway. The publication of FortiBleed will prompt systematic testing of the contained credentials against live FortiGate devices, both by researchers and by threat actors seeking to identify which entries remain valid. Organisations with affected devices should assume this testing has begun and treat credential rotation as already overdue.
Recommended Defender Actions
Rotate all FortiGate VPN user and administrative credentials immediately — not as a scheduled task, but now. Review authentication logs from 2022 to 2023 for anomalous successful logins, particularly from non-standard geographic locations or outside business hours. Restrict management interface access to internal networks or out-of-band management infrastructure. Enable MFA for all VPN authentication. Cross-reference your FortiGate public IPs and serial numbers against the FortiBleed dataset using available threat intelligence feeds — several vendors including BitSight have published indicator checks.
For organisations with managed security providers, the direct question is: when were FortiGate credentials last rotated, and can you confirm MFA is enforced for VPN access?