SOCRadar's report on the FortiBleed campaign reveals that attackers didn't need a zero-day to compromise FortiGate devices - they simply weaponized FortiOS's built-in diagnose sniffer packet command. That command, normally used by admins to debug connectivity issues, became the backbone of a credential harvesting operation targeting over 430,000 FortiGate firewalls worldwide.
FortiGate's Legitimate Diagnostic Feature Turned Against It
diagnose sniffer packet lets administrators inspect real-time traffic passing through a FortiGate firewall. The threat actor behind FortiBleed used a Golang tool called FortigateSniffer to SSH into compromised devices and launch that command, configuring it to monitor 24 different protocols. The list includes Kerberos, LDAP, NTLM, SMB, RADIUS, RDP, WinRM, Microsoft SQL Server, MySQL, PostgreSQL, SMTP, IMAP, POP3, FTP, and Telnet. Not a new vulnerability - just a feature that should never be accessible to an attacker who has already grabbed admin credentials.
SOCRadar's timeline shows the campaign active since at least February 2026, using credential stuffing and brute-force attacks to gain initial administrative access. Once inside, the sniffer ran continuously, capturing authentication secrets from every network flow that touched the firewall.
The Sniffing Pipeline: From SSH to Hashcat-Ready Hashes
Captured packet data was processed by a component called SNIFTRAN, which reassembled the raw traffic into PCAP files. A Python-based PCAP Deep Analysis Toolkit then parsed those files, extracting cleartext credentials (SMTP, IMAP, POP3, MySQL, RADIUS), NTLM and Kerberos hashes, and other authentication artifacts. The toolkit generated Hashcat-ready files - meaning the attacker could immediately feed hashed credentials into a password-cracking cluster without manual conversion.
Kevin Beaumont independently confirmed the attackers used 36 enterprise-class GPUs rented from a GenAI company for cracking. "Instead of using it for AI tasks, they used them for password cracking," he noted. Enterprise GPUs crack passwords at scale very quickly. Beaumont also reported that the attackers downloaded FortiGate configuration files to extract hashed credentials directly.
What This Means for FortiGate Administrators
If you manage Fortinet devices, review Beaumont's published list of targeted IP addresses. The campaign has already leaked credentials for over 80,000 firewall URLs. SOCRadar believes the actor is an initial access broker (IAB), meaning the stolen credentials are being sold to ransomware gangs and other threat actors.
Fortinet previously characterized this as a collection of already-compromised credentials, but SOCRadar's evidence shows active, ongoing exploitation. Until Fortinet restricts the diagnose sniffer packet command to require multi-factor authentication or session logging, expect this technique to reappear in other campaigns.
Source: FortiBleed campaign used custom FortiGate sniffer to steal credentials
Domain: bleepingcomputer.com
Comments load interactively on the live page.