Date: 06/19/2026
Severity: Critical
Summary
FortiBleed refers to the exposure and abuse of leaked credentials associated with approximately 74,000 internet-facing Fortinet devices, including FortiGate firewalls and SSL VPN gateways. Threat actors are leveraging compromised credentials to gain unauthorized access to affected environments, potentially enabling lateral movement, account compromise, and unauthorized configuration changes. Organizations are advised to reset credentials, terminate active sessions, enable phishing-resistant MFA, review logs for suspicious activity, and restrict management access to trusted networks.
Gurucul Model List
The Gurucul model list helps detect activity related to standard and custom Fortinet management, network, and VPN ports.
OOTB Model Names : | - Portscan Attempts Seen - Firewall - TA0001:Reconnaissance
- Excessive Inbound Non Standard Ports Activity Detected - Firewall - TA0011:Command and Control
- Excessive Activity Detected on OpenVPN Port on a Machine - Firewall - TA0011:Command and Control
- Local to Remote TCP Scanner Allow - Fortinet - TA0043:Reconnaissance
- Local to Remote SMB Scanner Allow - Fortinet - TA0043:Reconnaissance
- Excessive Activity on SMB Port Detected on a Machine - Firewall - TA0008: Lateral Movement
- Excessive Activity on MS-RPC Port Detected on a Machine - Firewall - TA0008:Lateral Movement
- Excessive Activity Detected on SQL Port on a Machine - Firewall - TA0009:Collection
- SMB Communication from IT Network to OT/DMZ Detected - Firewall - TA0008:Lateral Movement
- Firewall Policy or Rule Modification in OT Zones Detected - Firewall - TA0005:Defense Evasion
- Potential Proxy or VPN Activity - Proxy - TA0005:Defense Evasion
- Access to Anonymizer Site Detected - Proxy - TA0008:Lateral Movement
|