A campaign researchers have named FortiBleed has produced verified, working administrator credentials for between 30,000 and 75,000 internet-facing Fortinet FortiGate firewall devices, according to findings published by Arctic Wolf in mid-June 2026. Threat actors systematically pulled configuration files from exposed devices and cracked the stored password hashes offline — a technique that turns a configuration-backup vulnerability into full administrative access. The global reach of the campaign, spanning 194 countries, means no region or sector is exempt, and healthcare organizations that depend on FortiGate appliances at their network perimeter face direct exposure.

What the attackers did

The attack chain is notable for its efficiency. Rather than exploiting a live session or brute-forcing login portals in real time, actors retrieved configuration files from devices accessible over the public internet. Those files contained hashed administrator credentials. Offline hash-cracking — performed away from the target's detection systems — then produced plaintext passwords at scale.

The resulting credential sets are dangerous beyond simple firewall access. Administrator control of a perimeter firewall allows an attacker to modify routing rules, disable logging, create VPN tunnels, and pivot into internal network segments. For a covered entity or business associate, that pivot path leads directly to systems that store or process protected health information.

Why healthcare practices face heightened risk

Fortinet appliances are widely deployed across the healthcare sector, from large health systems to small independent practices, because they offer a range of network security functions at price points accessible to organizations without large IT staffs. That same broad deployment footprint means the pool of potentially affected healthcare devices is significant.

Independent practices are particularly exposed for two structural reasons. First, firewall configuration files are rarely audited after initial setup, so a device running with default or weakly hashed credential storage may have gone unreviewed for years. Second, smaller organizations are less likely to have network monitoring tools that would detect anomalous administrative logins or outbound configuration-retrieval activity.

The FortiBleed disclosure also arrives against a background of sustained threat-actor interest in healthcare targets. Ransomware groups have repeatedly demonstrated that compromised perimeter credentials are their preferred initial access method before deploying file-encrypting payloads.

What independent practices should check

Organizations running Fortinet FortiGate devices should treat this disclosure as a prompt for immediate review across several areas:

• Internet exposure of management interfaces. Administrative access to firewall management consoles should never be reachable from the public internet. If it is, that exposure should be restricted to internal networks or a dedicated management VLAN before any other remediation step.
• Credential rotation. All administrator accounts on affected appliances should have passwords changed immediately, treating any previously stored credential as compromised regardless of whether the device appears in a known-affected list.
• Firmware and configuration review. Fortinet periodically releases patches that address how configuration files handle credential storage. Devices should be running current firmware, and configuration files should be reviewed against the vendor's current hardening guidance.
• Log review for anomalous admin activity. Authentication logs from the past 90 days should be examined for logins from unrecognized IP addresses or at unusual hours, particularly any sessions that modified firewall rules or VPN settings.
• Vendor notification and BAA review. If a managed service provider or IT vendor administers the firewall under a business associate agreement, that vendor should be asked directly whether their managed devices are in scope and what remediation steps they have taken.

What this signals about the next 12 months

The FortiBleed campaign illustrates a technique that has become more common: rather than targeting a single zero-day vulnerability against one organization, threat actors build tooling to harvest configuration data at internet scale and process it offline. The result is a large inventory of verified credentials that can be used opportunistically over months.

For compliance officers, this pattern has a specific implication. A HIPAA Security Rule risk analysis that treats perimeter firewalls as a control — rather than as an asset that itself requires ongoing monitoring and hardening — will systematically miss this class of threat. Devices that enforce access controls must also appear in the organization's own risk inventory, with defined processes for credential management, firmware currency, and periodic review of management-interface exposure.