Between 13 and 17 June 2026, researchers confirmed threat-actor infrastructure hosting a large set of likely-valid credentials for Fortinet FortiGate firewalls and SSL-VPN gateways — an estimated 75,000 devices. Dubbed FortiBleed, it drew coordinated warnings from cyber agencies globally. It is the same story we wrote about in March under a different headline: the internet-facing VPN appliance is now the front door attackers prefer.

The uncomfortable part is that none of this needs a fresh zero-day. A dump of working SSL-VPN credentials lets an operator log in as a legitimate user and skip straight to the network. That is precisely how the most active ransomware crews are getting in this year, and it’s why “we have a firewall” is no longer the same sentence as “we’re protected”.

The durable fix is to stop treating the VPN as the perimeter. Identity-first access — Azure Virtual Desktop or Windows 365 behind Conditional Access, MFA on the management plane, and no SSL-VPN listener exposed to the whole internet — removes the single box whose credential leak becomes a domain-wide incident.

What it means for your businessA leaked VPN credential is a working login, not a vulnerability you can patch away. Put Conditional Access and phishing-resistant MFA in front of remote access, and retire internet-exposed SSL-VPN where AVD or Windows 365 can replace it.
Source & referenceBitsight — FortiBleed: Fortinet VPN credentials exposed ↑Field Effect — FortiBleed exposes Fortinet credentials ↑