Inside the FortiBleed Open Directory: A Technical Analysis of What the Attacker Left Behind

    Monday, June 22, 2026 In: Threat Research Print

    Date: 06/22/2026

    Severity: Critical

    Summary

    FortiBleed is a large-scale credential compromise campaign targeting internet-facing Fortinet FortiGate firewalls and SSL VPN gateways using stolen and cracked credentials rather than a software vulnerability. Researchers uncovered the operation after threat actors accidentally exposed an open directory containing validated credentials, attack tooling, automation scripts, and operational logs. The findings provide rare insight into the attackers’ infrastructure, revealing a coordinated effort to gain unauthorized access to Fortinet devices at scale.

    Indicators of Compromise (IOC) List

    IP Address

    85.11.187.8

    85.11.187.28

    193.8.187.2

    185.229.26.83

    213.169.49.142

    38.117.87.37

    198.53.64.194

    175.155.64.221

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    dstipaddress IN ("85.11.187.28","213.169.49.142","185.229.26.83","193.8.187.2","198.53.64.194","175.155.64.221","38.117.87.37","85.11.187.8") or srcipaddress IN ("85.11.187.28","213.169.49.142","185.229.26.83","193.8.187.2","198.53.64.194","175.155.64.221","38.117.87.37","85.11.187.8")

    Reference:    

    https://www.cloudsek.com/blog/inside-the-fortibleed-open-directory-a-technical-analysis-of-what-the-attacker-left-behind       


    Tags

    Threat ActorCredential HarvestingFortinet

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.