Number: AL26-014
Date: June 18, 2026
Audience
This Alert is intended for IT professionals and managers.
Purpose
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
Details
On June 17, 2026, the Canadian Centre for Cyber Security (Cyber Centre) became aware of open-source reportingFootnote 1Footnote 2Footnote 3 describing a widespread malicious campaign, known as “FortiBleed,” involving exposed credentials affecting Fortinet firewalls and VPN gateways. Exploitation of these credentials could allow malicious actors to gain remote access to affected devices and connected networks, as well as modify various system settings, including critical security controls.
Suggested actions
The Cyber Centre strongly recommends that organizations :
- Inventory all accounts on Fortinet devices, identify unauthorized or suspicious accounts (e.g.,
forticloud-sync,forticloud-tech) and disable/remove suspected or unneeded accounts. - Restrict access to management interfaces to trusted networks and hosts only.
- Terminate all active SSL VPN and administrative sessions.
- Reset passwords for all Fortinet VPN and administrative accounts.
- Enforce Multi-Factor Authentication (MFA) across all external gateways and admin interfaces.
- Ensure all Fortinet devices are running the latest firmware. Specifically, check for patches related to CVE-2024-55591 (obtain high privileges) Footnote 4 and, CVE-2025-59718Footnote 5 and CVE-2025-59719Footnote 6 (authentication bypass)Footnote 7.
In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre’s Top 10 IT Security Actions with an emphasis on the following topicsFootnote 8.
- Consolidate, monitor and defend Internet gateways
- Patch operating systems and applications
- Enforce the management of administrative privileges
- Harden operating systems and applications
Should activity matching the content of this alert be discovered, recipients are encouraged to report via My Cyber Portal, or email contact@cyber.gc.ca.