73,932
Fortinet firewalls in the FortiBleed credential database
0
Publicly downloadable IOC lists from the FortiBleed leak
48 hrs
Recommended window to rotate VPN credentials after confirmed exposure
1 tool
Authorized domain exposure checker: Hudson Rock Cavalier

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Every search for a 'FortiBleed download,' 'FortiBleed IOC list,' or 'FortiBleed checker' ends somewhere unhelpful: credential aggregator sites, pastebin mirrors, and general Fortinet advisories that do not answer the actual question. This page answers it directly.

No publicly downloadable FortiBleed IOC list exists for defenders to ingest. The credential database itself is not released in any form accessible to the security community for bulk verification. What exists is a single authorized domain checker and a set of behavioral indicators that any SIEM can be configured to surface.

The rest of this guide covers where to check, what to detect, and what to do when exposure is confirmed.

What IOCs exist for FortiBleed (and what does not)

The FortiBleed dataset consists of VPN credentials extracted from 73,932 FortiGate firewall configuration files. The leaked records include the device management IP address, firmware version string, VPN portal URL, administrator usernames, and plaintext credentials scraped from the configuration export. The dataset does not include routing tables, ACLs, or other configuration details that would yield traditional network IOCs.

For defenders, this means there are no IP blocklists, no domain blocklists, and no file hashes to ingest. The threat is not a specific attacker infrastructure. It is the credential set itself, now circulating among threat actors who use it for credential stuffing against FortiGate VPN portals.

What does exist:

  1. The Hudson Rock domain checker lets organizations query whether their managed domains appear in the leaked dataset, indicating that one or more of their FortiGate firewalls' credentials are exposed.

  2. Firmware version exposure: the leaked records contain Fortinet firmware version strings. Devices running vulnerable firmware at the time of scraping may be included regardless of whether Hudson Rock surfaces the domain explicitly.

  3. Behavioral IOCs: once attackers have the credential set, their use of it against your VPN portal generates authentication anomalies that SIEM rules can surface. These are the highest-value detection artifacts available for this leak.

How to check if your domain is in the FortiBleed leak

Hudson Rock's Cavalier intelligence platform provides the only authorized domain exposure check for FortiBleed. The process is straightforward, but there are pitfalls that produce false negatives.

Query your primary corporate domain

Navigate to cavalier.hudsonrock.com and enter your primary corporate domain (example.com, not vpn.example.com). Hudson Rock checks against the email domain extracted from credential records. A match means credentials from one or more of your FortiGate devices are in the dataset.

Check subsidiary domains separately

The leak was scraped from individual device configurations. Subsidiary organizations on different email domains will not appear in a parent domain query. Run the check for each subsidiary domain and each recent acquisition separately.

Do not use third-party FortiBleed checker sites

Sites other than Hudson Rock Cavalier claiming to offer FortiBleed database search or download are either scams harvesting your query data, credential aggregators logging your domain for targeting, or honeypots. Hudson Rock is the only vetted source for domain-level exposure verification.

Verify firmware version exposure independently

Cross-reference your FortiGate device inventory against the affected firmware version ranges documented in Fortinet's PSIRT advisory. Devices in the vulnerable range should be treated as exposed regardless of the domain check result, because a negative domain check does not confirm the device credentials were not scraped.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Behavioral IOCs: what your SIEM should flag

Since no static IOC list exists for FortiBleed, the detection surface is entirely behavioral. Attackers using FortiBleed credentials will attempt authentication against your VPN portal, and the authentication attempts generate log entries your SIEM can query against FortiGate SSL-VPN authentication logs.

Authentication burst from new source IP: A cluster of five or more authentication attempts within 60 seconds against your FortiGate SSL-VPN portal from an IP address not seen in the previous 30 days. Credential stuffing operations test large credential sets in rapid succession.

First-seen country authentication success: A successful VPN authentication from a country not in the user's prior 90-day authentication history. Buyers of the FortiBleed credential set are globally distributed and will test credentials without regard for the victim's geography.

Multiple account attempts from single source: More than three distinct username attempts from the same source IP within a 10-minute window. Credential stuffing tools without per-account delay logic produce this signature consistently.

Authentication success after extended inactivity: A successful VPN authentication for a user account that has shown no activity for more than 90 days. Stale credentials frequently survive rotation cycles and represent the highest-value targets in a credential stuffing campaign.

Off-hours success from new IP: Any successful authentication outside business hours from an IP address not previously associated with the user. Attackers purchasing leaked credentials operate in their own time zone, not the victim's.

Sigma rules for FortiBleed credential stuffing detection

The following detection logic targets the behavioral patterns most consistent with FortiBleed credential use against Fortinet SSL-VPN portals. These rules are written in generic Sigma format and require translation to your SIEM's query language using sigma-cli.

Rule 1: Authentication burst from new source

title: FortiGate SSL-VPN Credential Stuffing Burst status: experimental description: Rapid VPN auth attempts from a previously unseen IP, consistent with FortiBleed stuffing logsource: category: firewall product: fortinet detection: selection: eventid: '0100032003' timeframe: 60s condition: selection | count() by srcip > 5 falsepositives:

  • VPN client reconnect storms after network interruption level: high tags:
  • attack.credential_access
  • attack.t1110.004

Rule 2: Multi-account spray from single source

title: FortiGate Multi-Account Credential Spray status: experimental logsource: category: firewall product: fortinet detection: selection: eventid|startswith: '010003' timeframe: 600s condition: selection | count(distinct username) by srcip > 3 level: high

Note: FortiGate event IDs vary by firmware version. Verify against your firmware's log ID reference before deploying. Both rules require a 30-day source IP baseline per user to suppress false positives from employees who travel or change ISPs.

Shodan dork: verify FortiGate internet exposure

Before running the Hudson Rock checker, verify whether your FortiGate management interfaces are internet-exposed at all. Internet-exposed FortiGate management interfaces compound FortiBleed risk because authenticated attackers can log in directly rather than only through the SSL-VPN portal.

Shodan query for FortiGate exposure by organization:

product:"FortiGate" org:"Your Organization Name"

or by IP range:

product:"FortiGate" net:203.0.113.0/24

A result that includes your organization's IPs and returns a FortiGate management interface means that interface is directly internet-exposed. The management interface should not be internet-routable. Restrict it to a management VLAN reachable only via out-of-band access or a separate administrative VPN with hardware token authentication.

Censys.io provides an alternative search with different crawl coverage if Shodan does not surface your devices. Use both for complete exposure verification.

Remediation after exposure confirmation

If Hudson Rock confirms your domain is in the FortiBleed dataset, or if your device firmware was in the vulnerable range at scraping time, treat the exposure as confirmed and execute these steps.

Rotate all FortiGate admin and VPN credentials

Change every administrator password and VPN user credential on affected devices within 48 hours of confirmed exposure. Prioritize accounts with admin-level privileges first, then VPN user accounts sorted by access scope.

Enable certificate-based or FIDO2 VPN authentication

Credential stuffing attacks require password-based authentication to succeed. Migrating VPN authentication to client certificate mutual TLS or FIDO2 hardware tokens eliminates the attack surface entirely. FortiGate supports certificate-based VPN authentication natively.

Enable VPN authentication rate limiting

Configure authentication lockout after 5 failures per 60 seconds per source IP on the SSL-VPN portal. FortiGate supports per-source rate limiting natively. This disrupts single-source burst attempts but does not stop distributed credential stuffing.

Restrict VPN portal access to known IP ranges

If your user population connects from predictable IP ranges, apply an IP allowlist to the VPN portal login page. This dramatically reduces the attack surface even if users have password-based authentication enabled.

Patch FortiOS to current firmware

The vulnerability used to extract FortiBleed credentials has been patched in updated FortiOS releases. Confirm all FortiGate devices are running firmware released after the vulnerability's disclosure. Unpatched devices remain vulnerable to future credential scraping.

The bottom line

FortiBleed has no downloadable IOC list and no traditional network IOCs to block. The threat surface is entirely behavioral: attackers have the credentials and will test them against your VPN portal until they find valid pairs that were not rotated. The detection surface is the authentication log.

Deploy the Sigma rules above against your FortiGate authentication logs, rotate all VPN credentials on potentially affected devices, and enforce certificate-based or FIDO2 authentication on every VPN portal you operate. Credential stuffing attacks against FortiBleed credentials are ongoing -- the window to rotate before attackers succeed narrows every week.

For the full technical breakdown of how the FortiBleed credentials were extracted and what firmware versions are affected, see the FortiBleed credential leak analysis.

Frequently asked questions

Can I download the FortiBleed credential database or IOC list?

No. There is no publicly available FortiBleed credential download or IOC list released for use by defenders. The credential database circulates in threat actor communities and is not accessible through legitimate security research channels. Third-party sites claiming to offer FortiBleed downloads are either scams, credential aggregators logging your query, or honeypots. The only authorized domain exposure check is the Hudson Rock Cavalier checker at cavalier.hudsonrock.com.

Is there a FortiBleed checker tool I can use?

Yes. Hudson Rock's Cavalier threat intelligence platform provides a domain-based exposure check that queries whether your organization's email domain appears in the FortiBleed dataset. Navigate to cavalier.hudsonrock.com and enter your corporate email domain (not the VPN URL -- the email domain used in administrator account usernames). Check all subsidiary domains separately, as the database is indexed per domain.

Which FortiGate firmware versions are included in the FortiBleed leak?

The FortiBleed credential scraping exploited an authentication bypass vulnerability in Fortinet FortiOS. The scraping targeted internet-exposed FortiGate management interfaces and SSL-VPN portals running vulnerable firmware versions. Devices on firmware versions released after Fortinet's patch for the authentication bypass vulnerability are not vulnerable to the same scraping technique. However, credentials extracted before patching remain exposed until rotated. Check Fortinet's PSIRT advisory for the complete affected version list and confirm your current firmware is past the patched release date.

What SIEM detection rules detect FortiBleed credential stuffing?

FortiBleed credential stuffing leaves authentication anomaly traces in FortiGate SSL-VPN logs. Key detection patterns: (1) more than 5 authentication failures per minute from a single source IP not previously seen; (2) more than 3 distinct username attempts from the same source IP within 10 minutes; (3) successful authentication from a country not in the user's prior 90-day history; (4) successful authentication from an account inactive for more than 90 days. Sigma rules targeting FortiGate event IDs 0100032003 (auth failure) and 0100032001 (auth success) implement these patterns.

Are there FortiBleed IP addresses or C2 infrastructure IOCs to block?

No. FortiBleed is a credential leak, not a malware campaign with attributable infrastructure. There are no FortiBleed-specific C2 IP ranges, domains, or file hashes to block. Credential stuffing attacks originating from the leaked dataset will come from residential proxy networks, commercial VPN exit nodes, and distributed botnet infrastructure -- the same infrastructure used for all credential stuffing campaigns, not IOCs unique to FortiBleed. IP-based blocking is ineffective against distributed credential stuffing. Focus on rate limiting and phishing-resistant authentication instead.

How long are FortiBleed credentials valid after the leak?

FortiBleed credentials remain valid until explicitly rotated, regardless of how long ago the leak occurred. Static VPN passwords that were not changed after the leak disclosure are still valid today if the account still exists. This is why credential rotation is the critical remediation action -- not patching alone. Patching the FortiOS vulnerability prevents future scraping, but the credentials already extracted before patching are still exposed and usable by anyone with access to the FortiBleed dataset.

What is the Shodan dork to check FortiGate internet exposure?

Use the query: product:"FortiGate" combined with your organization name or IP range. For IP range: product:"FortiGate" net:YOUR.IP.RANGE.0/24. For organization: product:"FortiGate" org:"Your Organization Name". A positive result means your FortiGate management interface is internet-exposed. The management interface should be restricted to a non-routable management VLAN and never directly exposed to the internet. Censys.io provides complementary coverage if Shodan does not surface your devices.

Sources & references

  1. Decryption Digest, FortiBleed: 73,932 Fortinet Firewall Credentials Exposed 2026
  2. Hudson Rock Cavalier Threat Intelligence Platform
  3. CISA Advisory AA23-165A: Fortinet Known Exploited Vulnerabilities
  4. SigmaHQ Community Detection Rules Repository
  5. Shodan: FortiGate Exposure Query

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.