A campaign researchers are calling FortiBleed has produced what may be one of the largest single batches of verified firewall administrator credentials disclosed in recent memory. By systematically extracting configuration files from internet-facing Fortinet FortiGate devices and cracking the stored password hashes offline, threat actors obtained working credentials for an estimated 30,000 to 75,000 devices — spread across 194 countries — according to findings published by Arctic Wolf in mid-June 2026. For healthcare organizations that rely on FortiGate appliances to segment clinical networks, protect EHR access, or enforce perimeter controls, the exposure is direct and immediate.

What the campaign did

FortiGate devices store administrator credentials as hashed values in their configuration files. The attackers appear to have exploited a known path-traversal vulnerability — one with a history of use against healthcare targets — to pull those configuration files from externally reachable devices without authentication. Offline hash-cracking then converted stored hashes into plaintext passwords at scale, effectively bypassing any brute-force rate limiting the devices enforce at login.

The result is a credential set that is silent from the target's perspective. No failed login attempts appear in logs, no lockout policies trigger, and the device itself has no visibility into the offline cracking phase. Organizations that have not rotated credentials since the configuration files were accessible remain exposed even if the original vulnerability has been patched.

Why healthcare practices are a specific concern

Fortinet appliances hold a significant share of the firewall market in mid-size and independent healthcare environments, where procurement decisions often favor cost and consolidated feature sets over segmented vendor strategies. Many of those deployments are managed by small IT teams or third-party managed service providers who may not monitor vendor security advisories with the same cadence as enterprise security operations centers.

Healthcare networks also present an elevated consequence profile if perimeter credentials are compromised. An attacker with verified administrator access to a FortiGate device can modify routing rules, disable intrusion-prevention policies, create persistent VPN tunnels, or intercept traffic traversing the firewall — all of which could enable downstream access to systems containing protected health information. OCR's existing guidance on access controls and audit logging applies directly to the network layer, not only to application-level systems.

What administrators should verify now

Any organization running an internet-facing FortiGate appliance should treat this as a priority review, not a scheduled maintenance item. The core actions are straightforward:

• Credential rotation. All administrator accounts on FortiGate devices should have passwords changed immediately, regardless of whether the organization believes its specific devices were scanned. The campaign's geographic breadth makes targeted exemptions unreliable.
• Configuration-file audit. Review whether the device was reachable externally during the relevant vulnerability window. Firewall logs and external-scan history can help establish exposure, though absence of log evidence is not confirmation of safety given the offline attack model.
• Patch verification. Confirm the path-traversal vulnerability exploited in this campaign is remediated on all devices, including secondary or backup appliances that may not be on the primary patching schedule.
• Session and token review. Active administrative sessions, API tokens, and VPN certificates tied to compromised accounts should be revoked and reissued. Credential rotation alone does not invalidate sessions that were established before the rotation.
• Logging completeness. Verify that administrative login events, configuration changes, and policy modifications are captured in a log store that is separate from the device itself, so that any subsequent misuse of the stolen credentials would be detectable.

What this signals for network-layer security discipline

The FortiBleed campaign follows a pattern seen repeatedly over the past three years: a known vulnerability in a widely deployed network appliance goes unpatched long enough for threat actors to industrialize exploitation. The offline credential-cracking component is particularly significant because it shifts the detection window — by the time an attacker uses a credential, the acquisition of that credential may be months old and entirely invisible in telemetry.

For independent practices, the operational implication is that firewall and VPN appliances require the same patching urgency applied to internet-facing application servers. Delayed patching on perimeter devices has historically been the entry point for ransomware groups that specialize in healthcare targets, and verified administrator credentials represent a higher-value initial access artifact than typical phishing-derived user credentials. A verified admin credential eliminates the lateral movement phase entirely.