Security researchers at Arctic Wolf disclosed in mid-June 2026 that threat actors have been systematically pulling configuration files from internet-facing Fortinet FortiGate firewalls and cracking the credential hashes stored within them. The campaign, named FortiBleed, has produced confirmed working administrator credentials for between 30,000 and 75,000 devices spanning 194 countries. For healthcare organizations, where perimeter firewalls frequently sit between the public internet and systems that store or transmit protected health information, the scale of verified credential access represents a direct and immediate network-boundary risk.

What the attackers are doing

FortiBleed is not a novel vulnerability in the traditional sense. Threat actors are exploiting the ability to extract configuration files from exposed FortiGate management interfaces — a technique that has surfaced in prior Fortinet campaigns — and then running offline hash-cracking against the credential data contained in those files. The result is a working username and password that grants administrator-level access to the device itself.

The distinction matters: attackers do not need to maintain a persistent connection to exploit a vulnerable device. Once hashes are extracted and cracked offline, they hold valid credentials that can be used at any future point unless the device is reconfigured and credentials are rotated. Organizations that patched underlying firmware vulnerabilities but did not also rotate administrator credentials after prior Fortinet disclosures may still be exposed.

Why healthcare environments face elevated risk

Fortinet appliances are widely deployed across independent medical practices, community hospitals, and affiliated clinic networks, in part because of their cost profile relative to enterprise-tier alternatives. Many of these deployments route traffic between clinical workstations, EHR servers, and external networks — exactly the data paths that HIPAA's Security Rule requires covered entities to protect through technical safeguards including access controls and audit controls.

An attacker holding valid administrator credentials to a perimeter firewall can disable logging, alter access-control rules, create VPN tunnels for persistent access, or intercept traffic. Each of those actions can precede a broader intrusion that results in a reportable breach. Because the FortiBleed campaign operates at the credential layer rather than through active malware implants, conventional endpoint detection tools are unlikely to flag the initial access.

What the exposure signals for the next 12 months

Large-scale credential-harvesting campaigns against network infrastructure have become a repeating pattern rather than isolated incidents. Researchers have documented similar campaigns against Cisco, Palo Alto, and Ivanti devices in recent years. The common thread is that internet-exposed management interfaces on perimeter appliances accumulate value as targets because a single compromised device can yield access to the entire network segment it protects.

For healthcare compliance teams, this pattern has a practical implication: vulnerability management programs built around software patching alone are insufficient when credential compromise is the attack surface. Rotating credentials after any public disclosure affecting a deployed device class, restricting management-interface exposure to private or out-of-band networks, and monitoring for administrative logins outside expected maintenance windows are the controls most directly relevant to this campaign.

HHS's Health Sector Cybersecurity Coordination Center has previously flagged Fortinet vulnerabilities in health-sector threat briefings; organizations subscribed to HC3 advisories should treat FortiBleed as a trigger to audit current FortiGate deployments, verify whether management interfaces are internet-accessible, and confirm that credential rotation has been performed regardless of patch status.