FortiBleEd IOC Dataset: How to Check Fortinet Exposure and Detect Compromised Credentials

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
FortiBleEd is a publicly circulating dataset of leaked Fortinet VPN credentials extracted from compromised FortiGate firewalls. The dataset contains plaintext username and password pairs along with the IP addresses of the affected devices, covering an estimated 73,000 firewall instances gathered across multiple threat actor campaigns between 2022 and 2025.
The name is a portmanteau of Forti (Fortinet) and bleed, referencing the way credentials bled out of devices that were exploited before patches were applied. FortiBleEd is not a CVE and not a tool. It is a data artifact: a dump of credentials that attackers collected and that researchers subsequently obtained and published for defensive purposes. Security teams use it to determine whether their FortiGate devices appear in the leaked set.
Which CVEs Enabled the FortiBleEd Credential Leaks
Three FortiOS vulnerabilities are most directly associated with the campaigns that produced the FortiBleEd dataset.
CVE-2022-40684 is a critical authentication bypass (CVSS 9.8) affecting FortiOS 7.x, FortiProxy, and FortiSwitchManager. An unauthenticated attacker can perform administrative operations by sending specially crafted HTTP or HTTPS requests. This vulnerability was actively exploited within days of disclosure in October 2022 and was immediately added to the CISA Known Exploited Vulnerabilities catalog. Attackers used it to create rogue admin accounts and dump running configurations including VPN credential stores.
CVE-2024-21762 is a critical out-of-bounds write vulnerability (CVSS 9.6) in FortiOS SSL-VPN. An unauthenticated remote attacker can execute arbitrary code by sending crafted HTTP requests to the SSL-VPN interface. Fortinet disclosed active exploitation in February 2024, and CISA added it to the KEV catalog the same month.
CVE-2024-55591 is an authentication bypass (CVSS 9.6) in FortiOS and FortiProxy disclosed in January 2025. Fortinet confirmed threat actors were exploiting it before the patch was released, targeting managed service providers and enterprise FortiGate deployments.
How to Check If Your Organization Appears in FortiBleEd
Step 1: Identify your FortiGate public IPs. Pull a list of every public IP address associated with your FortiGate firewalls and SSL-VPN portals. Include both primary and failover addresses from your asset inventory, DNS records for VPN endpoints, or your firewall management platform.
Step 2: Search the FortiBleEd dataset. Clone or download the FortiBleEd repository from GitHub. The dataset is organized as structured text files containing IP, username, and password entries. Search each of your FortiGate IPs against the dataset. Community-built checker tools also accept bulk IP lists and return match results without requiring you to handle the raw credential data directly.
Step 3: Cross-reference against threat intelligence feeds. Run your FortiGate IPs against VirusTotal, Shodan historical records, and your primary TI platform. A hit confirms that the IP was associated with a compromised device.
Step 4: Treat any match as confirmed compromise. If your IP appears in the dataset, do not attempt to determine whether the credentials are current or stale. Assume full credential compromise and proceed to remediation immediately.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
How to Use the FortiBleEd IOC List for SIEM Detection
The FortiBleEd GitHub repository contains both the full credential dump and an extracted IOC list of compromised FortiGate IP addresses. For most defensive use cases, the IP-only IOC list is the operationally relevant artifact: you can ingest it into your SIEM without handling plaintext credentials.
Splunk: Upload the IP list as a lookup table CSV. Create a lookup definition referencing the file, then write a scheduled search that cross-references authentication log source IPs against the lookup. Alert on any match.
Microsoft Sentinel: Create a Watchlist from the CSV and reference it in an Analytics Rule. The SigninLogs table can be filtered against the watchlist to surface any authentication from FortiBleEd-listed IPs.
Elastic: Use the Threat Intel module or a custom ingest pipeline to load IP indicators into the threat.indicator ECS fields. The SIEM threat match rule type correlates authentication events against ingested indicators automatically.
Immediate Remediation Steps
If your FortiGate IP appears in FortiBleEd, work through the following actions in priority order.
Force-rotate all VPN credentials. Every user account on the affected FortiGate must have their password reset, including local accounts and accounts synchronized from Active Directory or LDAP. Notify affected users and require new passwords that meet complexity requirements.
Audit administrator accounts. CVE-2022-40684 and CVE-2024-55591 both allow attackers to create or modify administrator accounts without authentication. Review all accounts with administrative access and remove any that were not explicitly provisioned by your team. Check device configuration for unauthorized changes to routing, NAT rules, or VPN split-tunnel policies.
Revoke and reissue VPN certificates. If your FortiGate SSL-VPN uses device certificates for client authentication, revoke and reissue them. Attackers who harvested VPN session data may have captured certificate material alongside credentials.
Patch FortiOS to the latest supported release. All three CVEs have patches available. Check Fortinet PSIRT advisories for the specific affected versions. Prioritize devices with internet-exposed SSL-VPN interfaces.
Enable MFA for all VPN accounts. Plaintext credentials lose most of their value if MFA is enforced. FortiGate supports TOTP, FortiToken, and RADIUS-based MFA. Require MFA before re-enabling remote access after the credential rotation.
CISA KEV Status for the Underlying CVEs
All three CVEs underlying the FortiBleEd credential leaks are listed on the CISA Known Exploited Vulnerabilities catalog. CVE-2022-40684 (CVSS 9.8) was added in October 2022 under Fortinet advisory FG-IR-22-377. CVE-2024-21762 (CVSS 9.6) was added in February 2024 under FG-IR-24-015. CVE-2024-55591 (CVSS 9.6) was added in January 2025 under FG-IR-24-535.
Organizations covered by CISA Binding Operational Directive 22-01 are required to remediate all three on the KEV-specified deadlines. All other organizations should treat KEV listing as confirmation of active in-the-wild exploitation and prioritize patching accordingly.
The bottom line
FortiBleEd is a defensive data resource derived from one of the largest known FortiGate credential exposure events. If you run FortiGate firewalls or FortiProxy devices, checking your IPs against the dataset should be a standard item on your threat exposure checklist. The underlying CVEs are severe, widely exploited, and patched, meaning any organization still running unpatched versions faces both the original vulnerability and the compounding risk that credentials may already be in attacker hands. Patch FortiOS, rotate VPN credentials, audit admin accounts, and import the FortiBleEd IP IOCs into your SIEM detection stack before end of business today.
Frequently asked questions
What is FortiBleEd?
FortiBleEd is a dataset of leaked Fortinet VPN credentials compiled from compromised FortiGate firewalls. It contains plaintext usernames, passwords, and device IP addresses sourced from threat actor campaigns that exploited critical FortiOS authentication bypass and remote code execution vulnerabilities between 2022 and 2025. The name combines Forti (Fortinet) and bleed (a reference to the credential exposure pattern). Researchers use it to check whether an organization's devices appear in the leaked set.
Which CVEs does FortiBleEd relate to?
The credential leaks underlying FortiBleEd trace to several FortiOS vulnerabilities. CVE-2022-40684 is an authentication bypass affecting FortiOS, FortiProxy, and FortiSwitchManager that allows unauthenticated attackers to perform administrative operations via crafted HTTP or HTTPS requests. CVE-2024-21762 is a critical out-of-bounds write flaw in FortiOS SSL-VPN that enables remote code execution without authentication. CVE-2024-55591 is a later authentication bypass (CVSS 9.6) disclosed in early 2025. All three appear on the CISA Known Exploited Vulnerabilities catalog and were actively weaponized before patches were widely applied.
How do I check if my organization is in the FortiBleEd dataset?
The most direct method is to search the published FortiBleEd GitHub repository (or community forks) for your organization's public IP addresses associated with FortiGate devices. Several community-built checker tools accept an IP or hostname and return whether a match exists in the dataset. You should also cross-reference your Fortinet device IPs against threat intelligence feeds that have ingested the list. If you find a match, treat all VPN credentials on that device as compromised regardless of when the breach occurred.
How do I download the FortiBleEd IOC list for SIEM detection?
The FortiBleEd dataset is hosted on GitHub. You can clone the repository or download the raw CSV and text files directly. The IOC list contains IP addresses of compromised FortiGate devices. Import these IPs into your SIEM as a threat intelligence feed and create detection rules that alert on authentication activity originating from or destined to those addresses. Splunk, Microsoft Sentinel, and Elastic all support custom IOC feed ingestion natively or through add-ons.
What immediate steps should I take if my FortiGate IP appears in FortiBleEd?
Treat the incident as a confirmed credential compromise and act in this order: force-rotate all VPN user passwords on the affected device immediately; revoke and reissue any certificates associated with the FortiGate SSL-VPN portal; audit administrator accounts for unauthorized changes introduced via CVE-2022-40684 or CVE-2024-55591; patch FortiOS to the latest supported release; enable multi-factor authentication for all VPN accounts; and review firewall logs from the exposure window for lateral movement indicators.
Are the FortiBleEd CVEs on the CISA KEV catalog?
Yes. CVE-2022-40684 was added to the CISA Known Exploited Vulnerabilities catalog in October 2022 with a Federal Civilian Executive Branch remediation deadline. CVE-2024-21762 was added in February 2024. CVE-2024-55591 was added in January 2025 after Fortinet confirmed active exploitation by threat actors targeting managed service providers. Organizations covered by CISA BOD 22-01 are required to remediate all three on schedule; all other organizations should treat KEV listing as a strong indicator of active in-the-wild exploitation.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
