FortiBleed campaign extracts working admin credentials from tens of thousands of Fortinet firewalls globally

A campaign researchers have named FortiBleed has exposed a significant number of Fortinet FortiGate firewalls to verified administrator-level compromise, with Arctic Wolf reporting between 30,000 and 75,000 affected devices worldwide as of mid-June 2026. Threat actors systematically extracted configuration files from internet-facing devices, then cracked the stored credential hashes offline — a technique that produces working credentials without triggering the kind of repeated login failures that would normally alert a security team. For healthcare organizations that use FortiGate appliances as their network perimeter, the practical risk is immediate: a confirmed set of working admin credentials hands an attacker full visibility into internal traffic segmentation, VPN configurations, and connected clinical systems.

What the attack chain looks like

The FortiBleed method is technically straightforward once an attacker has access to a configuration file. FortiGate devices store credential hashes as part of their exportable configuration, and when those files are reachable from the internet — through a known vulnerability or a misconfigured management interface — the hashes can be pulled and processed offline using commodity cracking tools. The process does not require sustained network presence on the target device, which means intrusion detection systems watching for anomalous session activity may see nothing during the extraction phase.

The scale reported by Arctic Wolf suggests this is not opportunistic targeting but a structured, automated sweep across exposed IP ranges. A campaign reaching 194 countries implies the actors cast as wide a net as possible before selecting which compromised devices to act on further.

Why healthcare networks face elevated exposure

Healthcare organizations operate Fortinet equipment at significant rates, particularly in the mid-market — community hospitals, multi-site physician groups, dialysis networks, and behavioral health chains — where FortiGate appliances are common perimeter and branch-office firewall choices. These environments often run configurations that were set during initial deployment and are not reviewed on a regular cycle, meaning default management-interface exposure settings may still be in place years later.

A compromised firewall administrator credential in a clinical network carries consequences beyond the firewall itself. An attacker with that access can modify routing rules to redirect traffic, disable logging to blind a security operations team, create persistent VPN tunnels, or re-segment the network to reach systems that hold electronic health records, medical devices, or billing infrastructure. Any of those outcomes creates potential HIPAA Security Rule exposure, since the rule requires covered entities and business associates to protect the integrity and availability of electronic protected health information — an obligation that includes the network infrastructure carrying that data.

What administrators should check immediately

Organizations running FortiGate devices should treat this report as a prompt for specific verification steps rather than a general advisory.

Management interface exposure. Confirm that the FortiGate administrative interface is not reachable from the public internet. Management access should be restricted to dedicated internal subnets or out-of-band management networks.
Configuration file access controls. Review whether configuration export or read access has been limited to named administrative accounts, and audit which accounts currently hold administrative privileges.
Credential rotation. Any FortiGate device that has been internet-facing with its management interface should be treated as potentially compromised. Credentials should be rotated to new values, not recycled from any previously used set.
Firmware currency. Check whether devices are running firmware versions that address known configuration-exposure vulnerabilities. Fortinet has patched several related issues over the past 18 months; devices that have not received updates in that window are at materially higher risk.
Log review. Pull administrative session logs for the past 30 to 90 days and look for sessions from unexpected source IPs, session durations inconsistent with normal administrative work, and any configuration changes that cannot be attributed to known staff activity.

What this signals for the next 12 months

The FortiBleed campaign fits a pattern that has repeated across several major network-appliance vendors over the past two years: a vulnerability or configuration weakness in a widely deployed device class is discovered, and threat actors run automated extraction at scale before most organizations have time to respond. The healthcare sector has been a recurring secondary casualty in these sweeps because clinical networks tend to prioritize uptime over rapid patching cycles, and perimeter devices are often excluded from the same patch-management discipline applied to endpoint systems.

Security leadership at healthcare organizations should treat any internet-facing network appliance — firewall, VPN concentrator, remote-access gateway — as a priority surface for both configuration audits and firmware updates. The access a compromised perimeter device provides is not limited to that device; it becomes a staging point for movement deeper into systems that carry patient data and support care delivery.