Skip to content
You can now search across every topic, entity and event.What's new
Fortinet
OrganisationUS

Fortinet

US network security vendor; recurring KEV presence and FortiBleed credential exposure affecting 194 countries in 2026.

Last refreshed: 24 June 2026 · Appears in 1 active topic

Key Question

How were 86,644 Fortinet credentials collected across 194 countries without a zero-day?

Timeline for Fortinet

#1014 Jul

Mentioned in: A quiet KEV fortnight, then a 2008 bug

Cybersecurity: Threats and Defences
#108 Jul

One operator ran both ransomware brands

Cybersecurity: Threats and Defences
#91 Jul

Lynx crew cashes in FortiBleed haul

Cybersecurity: Threats and Defences
#818 Jun

86,644 Fortinet logins become a hit list

Cybersecurity: Threats and Defences
#78 Jun

Mentioned in: VPN zero-day open a month pre-patch

Cybersecurity: Threats and Defences
View full timeline →
Common Questions
What is the Fortinet vulnerability CISA added to KEV in 2026?
CISA added CVE-2026-21643, a SQL injection vulnerability in Fortinet's network security products, to the Known Exploited Vulnerabilities catalogue in April 2026 as actively exploited.Source: CISA KEV
What is FortiBleed and does it affect my Fortinet firewall?
FortiBleed is a credential database of 86,644 Fortinet FortiGate logins spanning 194 countries, collected via credential reuse and traffic interception since at least February 2026 without any zero-day exploit. NCSC and CISA issued joint alerts on 18 June 2026 advising organisations to rotate credentials and enforce MFA on Fortinet devices.Source: NCSC / CISA joint alert, June 2026
Why does Fortinet keep appearing in CISA's KEV catalogue?
Fortinet's widely-deployed firewall and VPN products are high-value persistent targets for state and criminal actors. CISA has added multiple Fortinet CVEs to the KEV catalogue in successive years, including FortiOS vulnerabilities exploited by Chinese state-linked groups and CVE-2026-21643 (SQL injection) in April 2026, because confirmed exploitation in the wild meets the KEV threshold.Source: CISA KEV

Background

Fortinet is a major US network security vendor providing firewalls, SASE (Secure Access Service Edge), endpoint security, and SD-WAN products to enterprises and government customers globally. Its products have been a recurring target for advanced persistent threat actors; CISA has added multiple Fortinet CVEs to the Known Exploited Vulnerabilities (KEV) catalogue in successive years, including FortiOS vulnerabilities exploited by Chinese state-linked groups and CVE-2026-21643 (a SQL injection flaw) added in April 2026. In June 2026 the FortiBleed dataset (86,644 FortiGate firewall credentials spanning 194 countries) emerged without any zero-day exploit, built instead via credential reuse and traffic interception running since at least February 2026; NCSC and CISA issued joint alerts on 18 June 2026 after researcher Volodymyr Diachenko identified and dated the dataset.

Fortinet was founded in 2000 and is headquartered in Sunnyvale, California. The company competes directly with Palo Alto Networks, Check Point, and Cisco in the enterprise network security market. Its firewall and VPN products are widely deployed by government agencies, critical national infrastructure operators, and large enterprises, making them a high-value persistent target: an attacker who can enumerate credentials across Fortinet deployments in 194 countries holds a ready-made directory of network perimeters for future exploitation campaigns.

For enterprise and government security teams, Fortinet's repeated presence in the KEV catalogue and now the FortiBleed credential exposure make it a standing compliance risk item. KEV addition mandates patching within CISA deadlines for US Federal Civilian Executive Branch agencies. The FortiBleed discovery, assembled with no zero-day, also signals that credential-hygiene and MFA enforcement across perimeter appliances are as critical as patch cadence for Fortinet-heavy environments.

More questions
What should Fortinet customers do after the FortiBleed credential leak?
NCSC and CISA recommend rotating all Fortinet FortiGate credentials, enforcing multi-factor authentication on management interfaces, auditing VPN access logs for anomalous sessions, and reviewing CISA's June 2026 advisory for indicators of compromise.Source: NCSC / CISA joint alert, June 2026
How was the FortiBleed database built without exploiting a vulnerability?
The FortiBleed dataset was assembled via credential reuse from prior breaches and traffic interception at network level, not via any zero-day or unpatched CVE. It had been running since at least February 2026. This means that patched Fortinet devices with reused or weak credentials were still captured.Source: NCSC / CISA joint alert, June 2026
Source Material