Cyber Centre Daily Advisory Digest — 2026-06-18 (1 advisories)
The Canadian Centre for Cyber Security issued an alert regarding 'FortiBleed,' a widespread campaign involving the leak of thousands of compromised credentials for Fortinet firewalls and VPN gateways. Threat actors can leverage these credentials, alongside vulnerabilities like CVE-2024-55591, CVE-2025-59718, and CVE-2025-59719, to gain remote access, create unauthorized accounts, and modify critical security controls.
Detection / HunterGoogle
What Happened
A major cyber campaign called 'FortiBleed' has exposed thousands of passwords for Fortinet firewalls and VPNs. This affects organizations using Fortinet devices to secure their networks and remote access. If attackers use these leaked passwords, they can break into company networks and disable security protections. Organizations should immediately reset their Fortinet passwords, turn on multi-factor authentication (MFA), and apply the latest security updates.
Key Takeaways
- A widespread campaign known as 'FortiBleed' has exposed thousands of compromised credentials for Fortinet firewalls and VPN gateways.
- Threat actors can use these credentials to gain remote access, modify system settings, and disable critical security controls.
- Suspicious unauthorized accounts such as 'forticloud-sync' and 'forticloud-tech' have been observed on compromised devices.
- Organizations are urged to patch Fortinet devices against privilege escalation and authentication bypass vulnerabilities (CVE-2024-55591, CVE-2025-59718, CVE-2025-59719).
Affected Systems
- Fortinet firewalls
- Fortinet VPN gateways
Vulnerabilities (CVEs)
- CVE-2024-55591
- CVE-2025-59718
- CVE-2025-59719
Attack Chain
Threat actors leverage leaked credentials from the FortiBleed campaign to authenticate to Fortinet firewalls and VPN gateways. Once authenticated, or by exploiting authentication bypass and privilege escalation vulnerabilities (CVE-2024-55591, CVE-2025-59718, CVE-2025-59719), attackers gain remote access to the connected networks. They then create unauthorized accounts (such as 'forticloud-sync' or 'forticloud-tech') and modify system settings or disable critical security controls to maintain persistence and further their objectives.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The advisory does not provide specific detection rules or queries.
Detection Engineering Assessment
EDR Visibility: Low — EDR agents typically cannot be installed on proprietary edge devices like Fortinet firewalls and VPN gateways. Network Visibility: High — Network traffic to management interfaces and VPN gateways can be monitored, and syslog from the devices can provide authentication events. Detection Difficulty: Moderate — Detecting the use of valid credentials can be difficult, but identifying specific unauthorized account names (e.g., forticloud-sync) is straightforward if logs are centralized.
Required Log Sources
- VPN authentication logs
- Firewall management logs
- Syslog from Fortinet devices
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Threat actors are using unauthorized or newly created accounts to access Fortinet management interfaces. | VPN and Firewall authentication logs | Initial Access | Low |
| Threat actors are modifying critical security controls or firewall rules after gaining access via compromised credentials. | Firewall audit and configuration logs | Defense Evasion | Medium |
Control Gaps
- Lack of Multi-Factor Authentication (MFA) on VPN and administrative interfaces
- Exposure of management interfaces to untrusted networks or the public internet
Key Behavioral Indicators
- Successful logins or account creation events for users named 'forticloud-sync' or 'forticloud-tech'
- Unexpected modifications to firewall rules, routing tables, or security controls by administrative accounts
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider resetting passwords for all Fortinet VPN and administrative accounts.
- Evaluate whether active SSL VPN and administrative sessions should be terminated to disrupt potential unauthorized access.
- Inventory all accounts on Fortinet devices and consider disabling or removing suspicious accounts such as 'forticloud-sync' or 'forticloud-tech'.
Infrastructure Hardening
- If supported by your architecture, consider restricting access to management interfaces to trusted networks and hosts only.
- Ensure all Fortinet devices are running the latest firmware, specifically checking for patches related to CVE-2024-55591, CVE-2025-59718, and CVE-2025-59719.
- Evaluate enforcing Multi-Factor Authentication (MFA) across all external gateways and administrative interfaces.
User Protection
- Consider monitoring for unusual VPN login locations or times that deviate from normal user behavior.
Security Awareness
- Consider reminding administrators of the risks associated with credential reuse and the importance of strong, unique passwords for infrastructure management.
MITRE ATT&CK Mapping
- T1078 - Valid Accounts
- T1133 - External Remote Services
- T1190 - Exploit Public-Facing Application
- T1098 - Account Manipulation
- T1562.001 - Impair Defenses: Disable or Modify Tools
