Executive summary
On 24 June 2026, Fortinet publicly disclosed CVE-2026-34477 — a critical unauthenticated heap overflow vulnerability in the SSL-VPN component of FortiOS and FortiProxy. The vulnerability allows an unauthenticated remote attacker to read arbitrary memory from the device, including the full configuration file containing admin credential hashes, VPN user databases, and private keys.
Within hours of publication, mass exploitation began. Threat intelligence from GreyNoise and Shadowserver confirmed exploit traffic from hundreds of IPs, with Chinese and Russian state-affiliated infrastructure in the initial wave. Multiple incident response firms confirmed post-exploitation activity consistent with ransomware staging by the end of 24 June 2026.
The vulnerability has been dubbed “Fortibleed” by the researcher community — a reference to its structural similarity to CVE-2014-0160 (Heartbleed) in terms of the scale of exposed infrastructure, the severity of credential exposure, and the difficulty of confirming whether exploitation occurred without forensic log review.
CISA added CVE-2026-34477 to the Known Exploited Vulnerabilities catalog on 24 June 2026 with a 48-hour remediation deadline for federal agencies. HLD assesses this event as requiring emergency response posture for any organisation with FortiGate or FortiProxy in their network perimeter.