Roughly half of all internet-facing Fortinet devices worldwide had working login credentials harvested and leaked, and CISA says higher education is squarely in the blast radius.
On June 13, 2026, security researcher Bob Diachenko was doing what he does most days: hunting for exposed servers sitting unprotected on the open internet. What he found this time was no stray database. It was a live staging ground — a server holding a growing list of usernames, plaintext passwords, and firewall addresses, plus the scripts a criminal group used to keep that list growing. Researchers eventually counted 73,932 FortiGate firewalls across 194 countries, each with valid, working credentials attached. Five days later, on June 18, CISA issued an emergency advisory urging every Fortinet customer to act immediately. Researchers have nicknamed the incident "FortiBleed."
What happened
Fortinet's FortiGate devices are firewalls and SSL VPN gateways — the boxes that sit at a network's edge and decide who gets in. According to Diachenko's analysis, corroborated by threat-intelligence firm Hudson Rock and researcher Kevin Beaumont, a Russian-speaking threat group ran an industrial-scale operation: an estimated 1.16 billion credential attempts against more than 320,000 FortiGate targets, plus billions more against exposed Microsoft SQL Server systems. Attackers reportedly intercepted SSL VPN authentication data, cracked it with a 45-GPU computing cluster, and used the recovered passwords to move laterally inside victims' Active Directory environments.
What makes this leak unusual is the quality of what was stolen. Many exposed passwords were long and complex — the kind organizations trust to resist brute-force guessing. Beaumont's review suggests the credentials may actually have come from exported Fortinet configuration files rather than pure guessing, so the exact method of compromise remains unconfirmed. What is confirmed: the data is real, most affected devices are still online, and roughly half of every internet-facing Fortinet firewall worldwide appears somewhere in this dataset. Diachenko says several organizations, including a NATO-linked defense contractor, were fully compromised, with sensitive documents stolen.
Why it matters for Texas institutions
Hudson Rock's breakdown of affected sectors lists educational institutions among the most commonly represented, alongside telecommunications, financial services, healthcare, and government. Texas research universities, community college districts, and state agencies rely heavily on FortiGate appliances to secure remote access for faculty, staff, students, and contractors, particularly VPN connections into research networks, financial systems, and student data environments. A campus VPN gateway with a leaked or crackable password is a documented, currently exploited pathway into exactly the kind of data these attackers appear to want. Because Texas hosts one of the largest concentrations of public higher-education institutions in the country, often sharing similar network architectures and vendors, one successful campaign like this can ripple across the sector fast.
What your institution should do
Treat every FortiGate device your institution operates as a suspect until proven otherwise. IT teams should immediately rotate administrative and VPN passwords, prioritizing devices with management interfaces exposed directly to the internet — Beaumont found that a majority of compromised devices had this configuration, which is rarely necessary and easy to close. Multi-factor authentication on every VPN and admin login should be non-negotiable; nearly all the damage in this campaign stemmed from credentials with no second factor behind them. Pull gateway authentication logs for recent weeks and look for logins from unfamiliar locations, since attackers who harvested credentials earlier may not have used them yet. Hudson Rock has published a free lookup tool to check whether your domains appear in the dataset, and it's worth five minutes to check. Finally, confirm your FortiOS firmware is current — many affected devices were running recent versions, a reminder that patching alone won't close this gap; credential hygiene has to close it too.
RSOC continues monitoring the FortiBleed situation and will share updates as Fortinet, CISA, and independent researchers release more detail. If your institution needs help assessing exposure, reviewing VPN logs, or prioritizing a credential rotation, RSOC is here as a resource for Texas higher education and state agencies. Reach out through rsoc.utexas.edu to connect with our team.