Researchers at Arctic Wolf identified an active campaign, now tracked as FortiBleed, in which threat actors are systematically pulling configuration files from internet-facing Fortinet FortiGate firewalls and cracking the embedded credential hashes offline. By mid-June 2026 the operation had produced verified, working administrator credentials for an estimated 30,000 to 75,000 devices spanning 194 countries. FortiGate appliances are among the most widely deployed perimeter firewalls in US healthcare, making any credential-compromise campaign at this scale a direct concern for hospitals, physician groups, and health system IT teams.
What the attackers are doing
The technique follows a well-established pattern against network appliances: rather than brute-forcing live login interfaces, attackers obtain device configuration files through a pre-existing vulnerability or exposed management interface, then crack the password hashes at leisure using offline compute. The result is a list of credentials that work silently, without triggering lockout policies or live authentication alerts.
FortiGate configuration files store hashed credentials for local administrator accounts. Once an attacker cracks those hashes, they possess valid credentials indistinguishable — from the device's perspective — from a legitimate login. That access enables firewall rule changes, VPN tunnel creation, traffic interception, and lateral movement into the network segments the appliance protects.
Why healthcare exposure is high
Healthcare organizations rely heavily on perimeter firewalls to segment clinical networks, protect electronic health record environments, and terminate remote-access VPN sessions for clinicians and staff. A compromised firewall administrator account bypasses nearly every downstream security control inside that perimeter.
Several factors amplify exposure for smaller and mid-sized practices:
- Delayed patching cycles. Network appliances in clinical environments frequently run behind on firmware updates because maintenance windows must be coordinated around patient care schedules, and the devices are treated as infrastructure rather than endpoints subject to regular patch cadences.
- Internet-exposed management interfaces. Many FortiGate deployments — particularly in smaller practices that lack dedicated network engineering staff — leave the web management interface reachable from the public internet, which is the precondition the FortiBleed campaign exploits.
- Credential reuse. Administrator passwords set during initial deployment are sometimes shared across multiple appliances or reused in directory accounts, multiplying the damage if a single hash is cracked.
What this signals for perimeter security discipline
The FortiBleed campaign is not an isolated event; it follows a multi-year pattern of mass exploitation targeting widely deployed network appliances, including prior Fortinet CVEs in 2022, 2023, and 2024. Each cycle has shown that healthcare organizations are consistently represented in victim populations, both because of their FortiGate market share and because appliance hygiene has lagged behind endpoint and application security investment.
The campaign also illustrates why credential-hash exposure is functionally equivalent to plaintext password exposure. Offline cracking capabilities have become cheap enough that any hash extracted from a config file should be treated as already compromised — a shift in threat modeling that many network security policies have not yet absorbed.
What administrators should check now
Practices running FortiGate appliances should prioritize three immediate verification tasks:
- Management interface exposure. Confirm that the FortiGate administrative interface is not reachable from untrusted networks. Fortinet's own hardening guidance recommends restricting management access to a dedicated out-of-band network or trusted IP ranges only.
- Firmware version and CVE status. Cross-reference the installed firmware against Fortinet's published advisories. If the device is running a version affected by any known configuration-file disclosure vulnerability, patching should be treated as urgent rather than routine.
- Credential rotation. Rotate all local administrator passwords on FortiGate devices, regardless of whether compromise is confirmed. If credentials were set at deployment and have not been changed since, they should be assumed at risk. Rotate directory accounts that share any credential with the appliance as well.
Beyond immediate remediation, the campaign reinforces the case for multi-factor authentication on all network appliance management interfaces where the vendor supports it — a control that renders cracked password hashes substantially less useful to an attacker even if they are obtained.