FortiBleed campaign extracts admin credentials from up to 75,000 Fortinet firewalls worldwide

A campaign researchers have named FortiBleed has systematically pulled configuration files from internet-facing Fortinet FortiGate firewalls and cracked the embedded credential hashes, producing working administrator usernames and passwords for an estimated 30,000 to 75,000 devices globally. Arctic Wolf researchers identified the activity in mid-June 2026 and published initial findings describing the scale as among the largest perimeter-device credential harvests observed to date. Healthcare organizations are disproportionately exposed because FortiGate appliances are widely deployed as the primary network boundary in hospitals, physician groups, and specialty practices of all sizes.

What the attackers are doing

The technique does not require a live exploit against a fully patched device. Threat actors are extracting configuration files — likely through previously disclosed vulnerabilities or misconfigured management interfaces — and performing offline hash-cracking against the stored credentials. Once cracked, those credentials grant administrator-level access to the firewall itself, meaning an attacker can modify routing rules, disable logging, create VPN tunnels, or pivot directly into the internal network without triggering most endpoint detection tools.

The offline cracking step is significant: it means the compromise may have occurred days or weeks before any observable network activity. Organizations cannot rely on failed-login alerts or brute-force detection as early warning signals in this scenario.

Why this matters specifically for covered entities

Firewalls that sit at the network perimeter of a HIPAA-covered entity or business associate are themselves part of the technical safeguard architecture required under the Security Rule. Administrator-level control of that device gives an attacker the ability to intercept unencrypted internal traffic, redirect DNS queries toward credential-harvesting infrastructure, or establish persistent remote access that survives routine system patching cycles downstream.

Healthcare networks frequently carry unencrypted or minimally encrypted traffic between legacy clinical systems — imaging devices, laboratory analyzers, infusion pumps — that cannot easily be retrofitted with transport-layer encryption. A compromised perimeter device positioned between those systems and the broader network can see that traffic in full.

The 194-country footprint also signals that this is not a targeted intrusion campaign against a specific sector. Automated tooling is working through exposed devices indiscriminately, which means small independent practices with modest IT resources face the same credential exposure risk as large health systems.

What affected organizations should examine immediately

Organizations running FortiGate hardware should treat this as a priority response item regardless of whether they have received a vendor notification:

Management interface exposure. Confirm that the FortiGate management interface is not reachable from the public internet. If it is, restrict access to known administrative IP ranges or take it offline entirely until the device can be reviewed.
Credential rotation. Change all administrator passwords on affected appliances immediately, using credentials that were not derived from or stored in the configuration file. Credential reuse across devices substantially widens the blast radius.
Configuration file integrity. Review the device configuration for unexpected changes — new administrator accounts, altered VPN profiles, modified logging destinations, or traffic-forwarding rules that were not explicitly authorized.
Log retention and SIEM ingestion. Verify that firewall logs are being forwarded to an external log management or SIEM system in near-real time. If an attacker has administrator access, local log files on the device itself are not a reliable audit record.
Vendor advisory tracking. Fortinet has an active security advisory program; organizations should confirm they are subscribed and have applied all current patches, particularly those addressing configuration-export vulnerabilities disclosed in the past 18 months.

What this signals about perimeter device risk

The FortiBleed campaign fits a pattern that has accelerated since 2023: threat actors systematically cataloging and exploiting perimeter network devices — firewalls, VPN concentrators, and load balancers — rather than targeting endpoints or applications directly. These devices often run proprietary operating systems with limited visibility into security tools, operate continuously without the patch-and-reboot cycles applied to servers, and hold credentials with broad network access.

For independent practices and smaller covered entities, the practical implication is that the firewall appliance should be treated as a managed endpoint requiring the same patch discipline, credential hygiene, and monitoring coverage applied to servers and workstations — not as a set-and-forget appliance. The assumption that a device sitting at the edge of the network is inherently harder for attackers to reach has been steadily eroded by the accumulation of disclosed vulnerabilities in major firewall product lines over the past several years.