FortiBleed: Stolen FortiGate Credentials Now Fueling INC and Lynx Ransomware Attacks

Credentials harvested from hundreds of thousands of compromised FortiGate devices are feeding active ransomware operations — and defenders who haven't rotated credentials post-patch are still exposed.

ThreatVectr Newsdesk· 3 min read
Photoreal news-editorial style, 16:9 framing, full-frame edge-to-edge composition
Share

Key points

  • Credentials harvested from hundreds of thousands of FortiGate firewalls are actively fueling ransomware intrusions.
  • Two ransomware operations — INC and Lynx — are linked to attacks using those stolen credentials.
  • The credential theft traces back to exploitation of CVE-2022-40684, a critical authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager.
  • Fortinet issued patches for CVE-2022-40684 in October 2022; organizations that patched late or never rotated credentials remain at risk.

The credentials don't care when you patched.

That's the practical upshot of research tying the so-called FortiBleed campaign — mass credential harvesting from exposed FortiGate firewalls — to active intrusions by the INC and Lynx ransomware groups, as reported by SecurityWeek. Patching the underlying flaw closed the door on new theft. It did nothing to invalidate credentials already sitting in attacker databases.

The root cause is CVE-2022-40684, a CVSS 9.8 authentication bypass affecting Fortinet FortiOS 7.0.0–7.0.6 and 7.2.0–7.2.1, FortiProxy 7.0.0–7.0.6 and 7.2.0, and FortiSwitchManager 7.0.0 and 7.2.0. Fortinet patched it in October 2022 with FortiOS 7.0.7 and 7.2.2. The exploit is simple: an unauthenticated HTTP request with a crafted Forwarded header lets an attacker read and modify the administrative interface. Pulling config files — including hashed or cleartext credentials — follows trivially.

Hundreds of thousands of devices were exposed before widespread patching. That's not a rhetorical number. Researchers have documented leaked configuration files circulating in criminal forums tied directly to this flaw, and those files map to real device serial numbers and management credentials.

What should defenders do right now?

Patch status is table stakes. The harder operational question is credential hygiene.

Any FortiGate device that ran a vulnerable firmware version before patching should be treated as fully compromised — not just the firewall config, but every credential that touched that management plane. That means administrative accounts, service accounts with API access, and VPN credentials stored or managed through the affected device. Rotate all of them. Check for lateral-movement artifacts from the period the device was vulnerable. FortiGate appliances frequently sit at the network perimeter with broad east-west visibility; a stolen admin credential isn't just a firewall problem.

INC and Lynx are both active ransomware-as-a-service operations targeting enterprise environments. Initial access via valid VPN or firewall credentials lets affiliates skip the noisiest parts of an intrusion — no phishing, no dropped loader, no EDR alert on execution. They're walking in through the front door.

The remediation path is straightforward: verify firmware is at FortiOS 7.0.7, 7.2.2, or later; audit admin and VPN accounts for signs of unauthorized access; and rotate credentials unconditionally if the device ran vulnerable firmware. Waiting on a confirmed incident to act on this one is the wrong call.

© 2026 Threat Vectr