The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent advisory on June 18, 2026, warning organizations worldwide that attackers are actively exploiting compromised FortiGate SSL VPN credentials to breach networks and hijack Windows Active Directory domains. The campaign, dubbed FortiBleed by security researchers, has already resulted in multiple confirmed intrusions, with threat actors using the stolen VPN access to move laterally, extract NTLM hashes, and perform Kerberos attacks to gain full control of Windows-based enterprise environments.

The alert follows weeks of mounting incidents reported to CISA and the FBI, in which internet-facing FortiGate firewalls—even those running fully patched firmware—were breached using valid credentials obtained through earlier data leaks, phishing operations, or credential-stuffing attacks. Once inside the VPN tunnel, attackers rapidly escalated privileges, targeting domain controllers and the Active Directory identity store. CISA has added three related CVEs to its Known Exploited Vulnerabilities catalog and is urging Fortinet customers to implement strict hardening measures immediately.

Anatomy of the FortiBleed Attack Chain

Unlike zero-day exploits that dominate headlines, FortiBleed relies on old-school credential theft, but with devastatingly modern consequences. The attackers do not need to bypass the FortiGate’s perimeter defenses; they walk right through the front door. Initial access typically stems from one of three sources:

  • Credential dumps from third-party breaches: Many organizations reuse passwords across services, and VPN credentials exposed in previous platform leaks are being sold on dark web forums. Attackers brute-force FortiGate SSL VPN portals using these lists.
  • Spear‑phishing campaigns targeting VPN users: Highly customized emails trick employees into revealing their FortiClient credentials or install information‑stealing malware that captures the VPN login during authentication.
  • Exploitation of MFA fatigue: Even where multi‑factor authentication is enabled, attackers are using push‑notification bombing and social engineering to trick users into approving malicious logins, effectively defeating the second factor.

Once inside the SSL VPN, the intruder has the same network access as the compromised user. However, FortiBleed actors immediately begin reconnaissance for Active Directory resources. They enumerate domain controllers, DNS servers, and SYSVOL shares, then attempt a technique known as Kerberoasting—requesting service tickets for known service principal names and cracking them offline to obtain plaintext service account passwords. Combined with Pass-the-Hash and DCSync attacks, this gives them control over the entire Windows domain.

Worse, the attackers often install persistent backdoors by creating fake machine accounts or adding their own malicious entry to the Scheduled Tasks on the domain controller, ensuring they can return even after the initial VPN session is terminated.

CISA’s Directive: Hardening Measures That Go Beyond Patching

The CISA advisory specifies that simply applying the latest FortiOS updates is insufficient because FortiBleed exploits operational misconfigurations and weak authentication practices, not necessarily a software vulnerability. The agency recommends a layered defense approach:

1. Eliminate Password‑Only VPN Authentication

Passwords alone are now a critical liability. CISA mandates that all FortiGate SSL VPN deployments must move to certificate-based authentication or FIDO2 security keys. If these are not feasible, then the organization must enforce MFA with one-time codes generated by an authenticator app, not pushed to a mobile device. The agency explicitly warns against SMS and phone-call verification because of known SIM-swapping attacks.

2. Restrict VPN Access to Known IP Ranges

Geofencing and IP whitelisting dramatically reduce the attack surface. Administrators should configure the FortiGate to accept SSL VPN connections only from the static IP blocks of branch offices, partner networks, or specific cloud providers used by employees. CISA strongly discourages allowing login from generic residential or anonymous proxy IPs.

3. Implement Real‑Time Session Monitoring and Anomaly Detection

Standard network logs are not sufficient. Organizations should feed FortiGate VPN events into a SIEM that correlates login times, geolocation, and post‑authentication behavior. Any user who suddenly accesses domain controllers or performs atypical NetSession calls should trigger an immediate incident response.

4. Isolate VPN Users from Critical Infrastructure

CISA advises placing high‑privilege Active Directory assets on a separate management VLAN that is inaccessible from the VPN subnet. Domain controllers, DNS, DHCP, and certificate authority servers should all be firewalled off unless the user authenticates a second time over a privileged access workstation.

Why Windows Active Directory Is the True Target

FortiBleed is not merely a network intrusion; it is a full‑scale identity theft operation. Active Directory serves as the single source of truth for user permissions across the entire enterprise, making it the ultimate prize for any attacker. Once the adversary seizes control of a domain, they can:

  • Create invisible “shadow” user accounts with Domain Admin privileges.
  • Dump the NTDS.dit database to obtain every password hash in the organization.
  • Deploy ransomware simultaneously to all domain‑joined machines.
  • Steal email, confidential files, and proprietary code repositories.
  • Disable or manipulate backups so recovery becomes impossible.

The widespread damage from such a breach can take months or even years to fully assess, and in many cases the simplest remediation is a complete “domain burn” and rebuild from scratch—a multi‑million dollar undertaking.

Immediate Steps for Windows and FortiGate Administrators

While CISA’s official hardening guidance is comprehensive, security teams should prioritize actions that yield the fastest risk reduction. The following checklist represents an emergency response playbook:

  • Rotate the KRBTGT account password twice: This will invalidate any stolen Kerberos tickets and break the attacker’s persistence. Use Microsoft’s Reset-KrbtgtPassword.ps1 script.
  • Audit all domain accounts created in the last 90 days: Look for any suspicious user or computer objects, especially those with high privileges.
  • Enable Advanced Audit Policies: Set “Audit Kerberos Service Ticket Operations” and “Audit Network Policy Server” to log every TGS request and MFA challenge.
  • Deploy Microsoft Defender for Identity: Its sensors can detect DCSync, Golden Ticket, and Pass-the-Hash attacks in real time.
  • Temporarily disable SSL VPN: If remote access is not essential, turn it off until the hardening steps are in place.
  • Force a password reset for all VPN users: Assume every password is compromised. Require users to create a new, complex password and register a new MFA device.
  • Review FortiGate local user databases: Delete any dormant accounts and enforce a strong password policy (minimum 14 characters, expiration every 30 days).

The Bigger Picture: SSL VPNs as an Increasing Liability

FortiBleed is not an isolated incident. Over the past two years, SSL VPN appliances from every major vendor—Cisco, Pulse Secure, SonicWall, Palo Alto Networks—have been targeted in similar credential‑based attacks. The fundamental problem is that VPN concentrators sit directly on the network edge, exposing a complex authentication service to the entire internet. Any weakness in that service, whether technical or human, grants an attacker a foothold inside the firewall.

Industry experts have long argued that legacy VPNs should be replaced with zero‑trust network access (ZTNA) solutions that hide applications behind a broker and require continuous verification. CISA’s FortiBleed alert may accelerate this transition. “Organizations that still rely on perimeter‑based VPN should use this as a wake‑up call,” said Jake Williams, a former NSA hacker and current SANS instructor. “The threat model has changed—you can’t trust that the person on the other end of that TLS tunnel is actually your employee.”

Community Reaction and Real‑World Impact

Within hours of the CISA advisory, Windows and Fortinet communities lit up with discussion. System administrators on forums shared harrowing stories of discovering FortiBleed infections only after noticing unusual Active Directory replication traffic. One IT manager posted that his team found a set of Domain Admin accounts named with random strings, created through a stolen VPN credential of a helpdesk technician who had “reset password” rights.

Fortinet’s own incident response team confirmed that they had observed multiple campaigns associated with FortiBleed, though they declined to attribute activity to a specific nation‑state group. The company released an updated FortiGuard alert urging all customers to review their SSL VPN settings and to use the FortiGate “credential stuffing” defense feature that rate‑limits failed login attempts.

On the Windows side, Microsoft issued out-of-band guidance for hardening Active Directory against credential‑based attacks, including a new GPO template that restricts the use of NTLM authentication. The company also emphasized that its newly announced “Windows Identity Protection” suite—integrated with Defender for Endpoint—can detect and block DCSync operations even if the attacker has Administrator privileges.

What This Means for the Future of Enterprise Security

FortiBleed underscores a painful truth: perimeter appliances are only as strong as the weakest credential used to log into them. As long as passwords remain part of the authentication flow, organizations will be vulnerable. The likely outcome of this incident will be a regulatory push for mandatory multifactor authentication on all remote access gateways, similar to requirements that financial institutions face.

For Windows administrators, the lesson is clear: Active Directory must be protected with a “assume breach” mentality. That means implementing tiered access, just‑in‑time privileges, and real‑time anomaly detection that can spot a rogue Domain Admin creation within seconds. The days of treating AD as a trusted and static database are over.

CISA’s warning carries the weight of a government agency that has seen the full extent of the damage. The directive is not advisory; it is an expectation that every organization running FortiGate devices will act immediately. Those who ignore it risk not only a devastating breach but also potential liability and regulatory fines for failing to follow federal cybersecurity recommendations.

Conclusion: Act Now, Before It’s Too Late

The FortiBleed campaign is active, sophisticated, and ruthlessly efficient. It does not exploit a zero‑day vulnerability that can be patched with a firmware update—it exploits the human factor and the architectural weakness of legacy VPNs. The CISA advisory of June 18, 2026, provides a detailed roadmap for defense, but the window for action is closing fast.

Organizations must treat this alert with the same seriousness as a fire alarm. Disable unnecessary SSL VPN services immediately. Enforce certificate-based authentication wherever possible. Isolate domain controllers from VPN subnets. Reset all privileged credentials. Monitor logs for even the faintest trace of Kerberos ticket anomalies. FortiBleed has already torn through networks that were thought to be secure; the only question now is whether your organization will be next.