The Perimeter Became the Entry Point
FortiGate firewalls are the security perimeter for hundreds of thousands of organizations worldwide. They are the device that is supposed to stop attacks. Between May 31 and June 15, 2026, a Russian-speaking initial access broker turned 86,644 of them into credential harvesting stations. The campaign, dubbed FortiBleed, targeted 430,000 FortiGate devices across 194 countries. The method was brute force — not a zero-day, not a sophisticated exploit chain. Brute force against devices with default or weak administrative credentials.
Once a device was compromised, the attackers deployed custom sniffers that passively captured every credential passing through the firewall — VPN logins, web application passwords, API keys, database connections. The attack is self-expanding: each compromised firewall captures credentials for systems behind it, which can be used to compromise additional infrastructure. Over 110 million credentials were harvested in 16 days.
The Credential Hygiene Mirror
Thirty-five percent of compromised FortiGate credentials were generic admin accounts — admin/admin, admin/password, admin/fortinet. This is the same credential hygiene problem WebPulse documents in the WordPress ecosystem: default credentials that are never changed, admin panels exposed to the internet, and security configurations left at factory defaults. WordPress ships with a default admin username. FortiGate ships with a default admin password. The pattern is identical. The blast radius is different.
Compromised organizations include Chevron, Samsung, Foxconn, Comcast, AT&T, Mercedes-Benz, and Toyota. These are not small businesses running unmanaged firewalls. These are enterprises with security teams, compliance requirements, and presumably, password policies. The 35% default credential rate suggests that even at scale, basic security hygiene remains the weakest link.
Framework Security Behind a Compromised Perimeter
WebPulse scores frameworks on their own vulnerability surface — CVE counts, CVSS severity, EPSS exploit probability. But FortiBleed demonstrates a truth that framework-level scoring cannot capture: when the firewall is compromised, every web application behind it is exposed regardless of its framework's security posture. A Django application with zero CVEs behind a compromised FortiGate is leaking its database credentials through the firewall's sniffer. A hardened Next.js deployment behind a compromised perimeter is serving its API keys to the attacker's credential pipeline.
For CISOs: framework security is necessary but not sufficient. FortiBleed compromised 86,644 perimeters using nothing more than brute force. If your firewall administration interface is exposed to the internet with default credentials, your framework choice is irrelevant. The 110 million credentials harvested in 16 days prove that the perimeter is not the last line of defense. Increasingly, it is the first point of failure.
