CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday urged Fortinet customers with FortiGate appliances to take steps to secure against ongoing malicious activity aimed at thousands of internet-accessible devices. The sweeping campaign, believed to be the work of Russian-speaking threat actors, has been codenamed FortiBleed. The number of compromised devices stands at

The article describes "FortiBleed," a large-scale credential-compromise campaign in which threat actors have harvested admin and VPN credentials from over 80,000 internet-facing Fortinet FortiGate firewalls worldwide, with CISA warning of ongoing exploitation and urging immediate hardening steps.[1][4][10] Public reporting attributes the activity to Russian-speaking actors and notes that the leaked credentials enable long-term unauthorized access to sensitive networks across thousands of organizations and jurisdictions.[1][3][6] From a CyberSE.AI perspective, any AI workloads, agents, or data flows that transit networks protected by compromised FortiGate appliances face elevated risks of data exfiltration, session hijacking, model/IP theft, and covert manipulation of AI inputs/outputs via man-in-the-middle positioning. Organizations should treat FortiBleed as a critical AI supply-chain exposure, conduct a full network and identity compromise assessment, rotate all credentials, enforce MFA, remove public management interfaces, and include Fortinet infrastructure explicitly in AI SBOM, threat modeling, and continuous monitoring for AI systems.