Critical 'FortiBleed' Vulnerability Discovered in FortiGate Devices

A critical remote authentication bypass vulnerability named 'FortiBleed' has been discovered in FortiGate devices, prompting a joint warning from the US CISA and UK NCSC.

Exploiting this vulnerability could allow external attackers to infiltrate firewall systems and access sensitive information. The flaw resides in the method used for securely storing passwords, raising concerns that attackers could gain system access privileges. Successful exploitation could lead to the theft of user accounts and acquisition of system access rights.

This vulnerability affects FortiOS versions 7.2.11, 7.4.8, and 7.6.1, specifically within the password hashing mechanism that uses the PBKDF2 algorithm and SHA-256 hashing method. Attackers can leverage this to steal password hashes and bypass authentication remotely.

Security authorities recommend patching FortiOS and enabling multi-factor authentication (MFA) as mitigation measures and for further security enhancement. Security experts also advise immediate application of patches along with enabling MFA to reduce the damage from exploitation of this vulnerability.

Information about this vulnerability was initially reported by the security research firm SOCRadar, and this security advisory was published on June 18, 2026 (local time).