HLD Shield · Press briefing · 25 June 2026Active exploitationPatch now

Fortibleed: mass exploitation of CVE-2026-34477 is active now

A critical heap overflow in FortiOS SSL-VPN and FortiProxy — dubbed Fortibleed — is being actively exploited at scale hours after public disclosure. Ransomware pre-positioning has been confirmed. Unauthenticated attackers can read device configurations, harvest VPN credentials, and gain full network access. If your organisation runs FortiGate or FortiProxy, this requires action today.

Fortinet · FortiOS · FortiProxyCVE-2026-34477 · CVSS 9.8Network perimeterRansomware · Nation-state

Executive summary

On 24 June 2026, Fortinet publicly disclosed CVE-2026-34477 — a critical unauthenticated heap overflow vulnerability in the SSL-VPN component of FortiOS and FortiProxy. The vulnerability allows an unauthenticated remote attacker to read arbitrary memory from the device, including the full configuration file containing admin credential hashes, VPN user databases, and private keys.

Within hours of publication, mass exploitation began. Threat intelligence from GreyNoise and Shadowserver confirmed exploit traffic from hundreds of IPs, with Chinese and Russian state-affiliated infrastructure in the initial wave. Multiple incident response firms confirmed post-exploitation activity consistent with ransomware staging by the end of 24 June 2026.

The vulnerability has been dubbed “Fortibleed” by the researcher community — a reference to its structural similarity to CVE-2014-0160 (Heartbleed) in terms of the scale of exposed infrastructure, the severity of credential exposure, and the difficulty of confirming whether exploitation occurred without forensic log review.

CISA added CVE-2026-34477 to the Known Exploited Vulnerabilities catalog on 24 June 2026 with a 48-hour remediation deadline for federal agencies. HLD assesses this event as requiring emergency response posture for any organisation with FortiGate or FortiProxy in their network perimeter.

What the vulnerability allows

The heap overflow is triggered via a specially crafted HTTP request to the SSL-VPN web interface — no authentication required, no user interaction needed. Successful exploitation gives the attacker:

  • Full read access to the device configuration file, including all admin credential hashes
  • VPN user credential database — usernames, password hashes, group memberships
  • Certificate private keys stored on the device, enabling SSL inspection bypass
  • Pre-shared keys for IPSec tunnels, enabling potential decryption of historical traffic captures
  • Network topology data — routing tables, VLAN configuration, trust relationships
  • In some confirmed cases, unauthenticated remote code execution via heap shaping (CVSS adjusted to 9.9 by Rapid7)

The secondary attack vector is significant: harvested VPN credentials allow follow-on attacks through legitimate access paths that bypass perimeter controls entirely — making detection substantially harder and extending the blast radius well beyond the initially compromised device.

Affected products and versions

ProductAffected versionsRisk status
FortiOS7.4.0–7.4.4, 7.2.0–7.2.9, 7.0.0–7.0.16, 6.4.x (EOL — no patch)Critical
FortiProxy7.4.0–7.4.4, 7.2.0–7.2.12, 7.0.0–7.0.19Critical
FortiSASECloud-hosted — vendor-patched, no action requiredVendor-mitigated

FortiSASE is cloud-hosted and was patched by Fortinet automatically — no customer action required for SaaS-managed deployments. On-premises FortiOS and FortiProxy require customer-initiated patching.

Immediate actions — do these today

01

Identify all FortiOS and FortiProxy instances immediately

Run an asset inventory query now. This includes perimeter firewalls, SD-WAN appliances, SSL-VPN concentrators, and any FortiProxy deployments. Include cloud-hosted and on-premises. If you do not have a current asset register, scan your IP ranges for Fortinet management interfaces before anything else.

02

Apply patches — treat as P1 change regardless of change windows

Upgrade to FortiOS 7.4.5, 7.2.10, 7.0.17, or FortiProxy equivalents. For FortiOS 6.4.x (EOL), isolation or emergency replacement is required — no patch is available. Given active exploitation, standard change advisory board processes should be bypassed in favour of emergency change procedures.

03

Disable SSL-VPN and management interfaces on internet-facing devices if patching is delayed

If immediate patching is not possible, restrict management access to jump-host or out-of-band networks only. Disable SSL-VPN services where operationally feasible. This is a temporary measure — it does not fully mitigate the risk but removes the most direct exploitation path.

04

Hunt for indicators of compromise — assume breach if unpatched since 21 June

Review FortiGate logs for anomalous API calls, unexpected admin account creation, config export events, or SSL-VPN session anomalies from unexpected geolocations. Known IOCs include HTTP requests to /api/v2/monitor/system/firmware with oversized payloads. Engage your SIEM and run threat hunts against the provided IOC list.

05

Notify your security operations team and invoke your incident response playbook

This is a mass-exploitation event. Even if you patch immediately, you must confirm no pre-patch compromise occurred. If you do not have FortiGate log retention going back to 21 June 2026, treat the device as potentially compromised and conduct a forensic review before trusting traffic through it.

Incident timeline

18 June 2026

Fortinet privately notifies select enterprise partners of a critical heap overflow vulnerability in FortiOS SSL-VPN and FortiProxy. Patch not yet publicly available. Coordinated disclosure window begins.

21 June 2026

Shadowserver and GreyNoise begin detecting low-volume scanning of FortiGate management interfaces consistent with pre-exploitation reconnaissance — before public disclosure.

23 June 2026

Fortinet publishes FG-IR-26-441 and CVE-2026-34477 (CVSS 9.8 Critical). Patches released for FortiOS 7.4.x, 7.2.x, 7.0.x, and FortiProxy 7.4.x, 7.2.x. The vulnerability is dubbed "Fortibleed" by the researcher community — a reference to its structural similarity to Heartbleed in terms of mass exposure and impact class.

23 June 2026 (within hours)

Mass exploitation begins. GreyNoise records exploit traffic from over 400 unique source IPs within 6 hours of public disclosure. Chinese and Russian threat actor infrastructure identified in initial wave.

24 June 2026

CISA adds CVE-2026-34477 to the Known Exploited Vulnerabilities catalog. Federal agencies under FCEB directive given 48-hour remediation deadline. Multiple ransomware pre-positioning incidents confirmed by incident response firms.

25 June 2026

HLD Shield issues this briefing. Exploitation is active and ongoing. Estimated 84,000+ unpatched FortiGate and FortiProxy devices globally remain reachable on the public internet.

Severity assessment

CVSS score9.8 Critical
Rapid7 adjusted9.9 (RCE confirmed)
CISA KEVAdded 24 Jun 2026
Active exploitationConfirmed
Ransomware stagingConfirmed
Nation-state activityConfirmed

Risk amplifiers

Mass internet exposure

Shodan and Censys data indicate over 150,000 FortiGate and FortiProxy management interfaces are directly reachable on the public internet globally. Estimated 84,000+ remain unpatched as of this briefing.

Zero-day window exploitation

Scanning activity pre-dated public disclosure by at least 2 days, suggesting nation-state actors had early access to exploit code. Organisations that have not patched since 21 June should assume adversary reconnaissance may have already occurred.

Ransomware pre-positioning confirmed

Multiple incident response firms have confirmed post-exploitation activity consistent with ransomware pre-positioning — beacon implants, credential harvesting, and lateral movement staging — within hours of the public advisory.

EOL devices with no patch path

FortiOS 6.4.x reached end-of-life and Fortinet has not issued a patch. Any organisation running 6.4.x is permanently exposed until the device is replaced or isolated. HLD estimates 8–12% of vulnerable devices globally are on EOL firmware.

Credential and config exfiltration

Successful exploitation allows unauthenticated reading of the device configuration file, including hashed admin credentials, VPN user databases, pre-shared keys, and certificate private keys. Downstream access through harvested VPN credentials is a confirmed secondary attack vector.

Supply chain and MSP exposure

Managed service providers operating centralised FortiManager environments face compounded risk — a single compromised management plane can cascade to all managed tenants. MSPs should treat this as a critical supply-chain risk event.

Need HLD support?

HLD can assist with emergency patch prioritisation, compromise assessment, log review, and post-incident network hardening for affected organisations.

Contact HLD

HLD Shield briefings are interpretive intelligence summaries based on publicly available information and HLD analytical assessment. They do not constitute formal vulnerability assessments or legal advice. Organisations should validate findings against their own environment and engage qualified advisers for remediation decisions. Published 25 June 2026.

More HLD Shield briefings

Stay across the full threat intelligence picture.

Back to HLD Shield