FortiBleed and the maritime sector: a real exposure?
A recap of the facts first. FortiBleed was disclosed in mid-June 2026 by independent researcher Volodymyr “Bob” Diachenko, who specialises in hunting down databases and servers left open on the Internet. The leak did not surface at a victim’s site. He found it on the attackers’ side: a poorly secured server exposing their tooling, their logs and the credential set itself. The operation, which he attributes to a Russian-speaking multi-operator group, is said to have harvested and then cracked the authentication hashes of tens of thousands of FortiGate appliances, enriching each entry with the target’s industry, revenue and headcount - enough to plan future attacks. Several researchers validated part of the batch, among them the British Kevin Beaumont, who confirmed the authenticity of a sample of administration credentials.
Since then, the topic has been running on a loop in the specialist press. As is often the case with this kind of leak, it comes with a sectoral breakdown, and therefore a maritime slice, which is hardly surprising. Several summaries have circulated, with figures and maps meant to impress, often for the purposes of commercial FUD (Fear, Uncertainty, Doubt) to sell services. It is sometimes amusing (for an end customer) to watch cybersecurity companies offer cybersecurity services to make up for the vulnerabilities of cybersecurity vendors (I include myself here). Let us move on. I preferred to analyse part of the data myself and count, entity by entity.
Here, then, is what it gives, and why some totals deserve a closer look…
FortiBleed? What are we actually talking about?
Let us start by clearing up a misunderstanding. FortiBleed is not a flaw, there is no CVE to patch. It is an aggregation of administration credentials for FortiGate appliances, gathered in several ways: extraction of configuration files followed by cracking the password hashes stored with an old, weak algorithm, replay of already known passwords, and feeds from infostealer logs. The result is a huge list of “appliance + administrator account” pairs, each with the appliance’s address and the country where it sits.
One point is often glossed over in the reruns: appearing in this list does not prove you were the victim of a cyberattack. It “simply” proves that a credential was harvested and now potentially sits in an attacker’s database. If the password has been changed since, the entry is historical and there is potentially no concern beyond the appliance being exposed on the Internet. If it has not, it remains valid and exploitable. This nuance matters, because it separates an exposure indicator from a confirmed compromise, and the two are not handled the same way.
The FortiGate appliance is the front door to many IT and OT networks: a perimeter firewall that also provides SSL-VPN gateway functions. Whoever holds its administrator account holds the edge of the network. That is exactly the raw material of the initial access brokers, those Initial Access Brokers who make reselling that access to ransomware franchise operators their “trade”.
Why the maritime sector is affected
Ashore, a shipowner or a port is a classic information system, with its portals, its VPNs, its administration interfaces sometimes exposed on the Internet. Nothing specifically maritime so far.
The specificity comes on board. On a ship, the same type of appliance often guards the boundary between the business IT and the vessel’s operational systems (in particular for remote maintenance operations). Access to the firewall can open a path towards OT systems. Even though these satellite accesses are now (generally) well monitored by cyber teams and equipment, this is why a stock of FortiGate credentials concerns the sector well beyond its IT departments.
The count, and its traps
The dataset I was able to consult contains several tens of thousands of exposed FortiGate credentials, all sectors combined. To extract the maritime share, the temptation is to filter on the sector label supplied with each domain. Bad idea.
These labels are generated automatically, and they are wrong fairly often. Two examples among those that stopped me: two Caribbean telecom operators filed under “maritime transport and logistics”, and a customer relations centre catalogued as “oil and gas”. On their own, these two telecoms accounted for nearly 60% of the firewalls the filter first attributed to the maritime sector. Taking the raw total, without discernment or analysis, therefore means building an alert on two fundamental labelling errors.
The label also fails the other way. A large number of shipowners are catalogued as “IT services” or with a catch-all heading, and they then slip under the radar of a sector filter. Counting by label understates as much as it overstates.
So I worked directly at the entity level: cross-referencing domain names against a list of known actors - shipping lines, ports, shipyards, classification societies, equipment makers, satellite operators -, spotting brands hidden behind a generic heading, taking navies and coast guards into account, and open-source verification of the ambiguous cases, in particular a few oilfield-services companies where only research lets you decide between offshore and onshore. This work gives a base I consider clean, with 203 maritime organisations affected because they are genuinely present in the leak.

The shape is quite telling. Maritime transport dominates by far, with ninety-four organisations, close to half the total. Then come fishing and seafood, maritime services, equipment makers and onboard electronics, then ports and terminals, offshore and, more broadly, marine energy, shipyards, satellite operators, and up to five military navies. The operational heart of the sector stands out clearly here, well beyond its support functions alone.
In credential volume, these 203 entities total nearly 400 exposed FortiGate accounts. Most have only a single appliance affected; a minority concentrate several. One leading shipowner lines up nine, spread across several countries. Concentration matters as much as the total: a few very exposed actors weigh heavily in the tally.
Where these appliances are
Each appliance’s address comes with its country. Aggregating them, the geography of maritime exposure takes shape, and it does not point towards Europe.

Leading the way: India, Taiwan, the Philippines, the United States, Hong Kong, Indonesia, the Emirates, Malaysia, Singapore. In other words, the major port and logistics hubs of Asia and the Gulf, where shipowners, shipping agents and stevedores concentrate. This is consistent with the global distribution of tonnage and of fleet technical management, and it shifts the problem’s centre of gravity quite far from Europe’s borders.
The satellite angle, where the claims get shaky
This is the most spectacular part of the published summaries, and the most fragile. The idea is sound: an onboard firewall receives its address from the network of the satellite operator that connects it. By spotting the addresses belonging to the ranges of the major VSAT providers, you therefore find the appliances installed on board ships, regardless of the domain they are filed under. The most operational risk concentrates there, on the vessel side; the head offices come second.
Without going into too much detail, I find that people go a long way on the claim that certain appliances are necessarily maritime appliances. Especially when no factual, reproducible methodology is stated.
What to do, concretely
None of this is inevitable, and the useful steps are known. For a maritime organisation running Fortinet at the edge:
- Change without delay every administration and VPN password on equipment exposed on the Internet.
- Roll out multi-factor authentication across remote and administration access.
- Move to a recent version of FortiOS, then reconnect with each administrator account: it is this last step that finally purges the old password hashes left in the configuration.
- Pull administration interfaces off the public Internet, and review the logs looking for unknown accounts or unusual connections.
- On board, seriously maintain the separation between business IT and operational systems.
What I take away from it
FortiBleed is not the first leak of this type of credential, and it will not be the last. It still deserves attention: the data was recovered from the attackers’ own infrastructure, which says a good deal about their reach and their working methods. The figures, on the other hand, call for a careful reading. They measure exposure and a potential risk, weighing above all on the organisations that are less well managed or less closely watched; they do not establish that an intrusion has taken place. The raw labels mislead, the satellite maps rest on data the public does not have, and an entry in the list stays an exposure - a genuine one, worth acting on, yet an exposure all the same. Two hundred maritime organisations affected, an Asian and Gulf geography (mostly), a handful of very exposed actors: there is a solid base to prioritise, without giving in to the vertigo of big numbers. At sea as elsewhere, the margin between the door left open and the intrusion plays out on hygiene steps, often fairly simple ones.
Olivier JACQ, President and founder of CYBERMOOV Consulting.