FortiBleed campaign yields working admin credentials for tens of thousands of Fortinet firewalls

A large-scale credential compromise campaign targeting Fortinet FortiGate firewalls — dubbed FortiBleed by researchers at Arctic Wolf — extracted configuration files from internet-facing devices and cracked the stored password hashes, producing verified working administrator credentials for an estimated 30,000 to 75,000 appliances worldwide. The campaign, identified in mid-June 2026, spans 194 countries. Healthcare organizations that use FortiGate firewalls as their network perimeter are directly in scope: a compromised firewall administrator credential is, in practical terms, a key to the front door of any network segment the device protects, including those carrying protected health information.

What the attackers did

The FortiBleed technique is straightforward in its mechanics. Threat actors systematically pulled configuration files from FortiGate devices exposed to the public internet, a method that does not require authentication if the device is running a vulnerable firmware version. Those configuration files contain hashed administrator credentials. Attackers then cracked the hashes offline, yielding plaintext passwords they can use to log in directly.

The result is not a speculative threat. Arctic Wolf reported that the credentials are verified working — meaning the campaign has already produced a ready-to-use list of administrator access for a significant share of affected devices. Healthcare networks running unpatched or internet-exposed FortiGate appliances that have not rotated credentials since the campaign began should treat those credentials as compromised.

Why this matters for healthcare networks

Firewalls sit at the boundary between internal clinical systems — EHRs, medical imaging repositories, lab interfaces, patient portals — and the public internet. Administrator access to a firewall allows an attacker to redirect traffic, disable logging, open inbound rules, or pivot directly onto internal segments without triggering perimeter alerts. In a healthcare context, that access path reaches systems subject to the HIPAA Security Rule's technical safeguard requirements, including access controls, audit controls, and transmission security.

HIPAA's Security Rule does not mandate any specific firewall vendor, but it does require covered entities and business associates to protect electronic protected health information from unauthorized access. A firewall running with compromised administrator credentials — even one whose logs show no suspicious activity yet — may no longer satisfy the "technical safeguard" standard because the control itself is under adversary influence. OCR has historically treated failure to patch known vulnerabilities and failure to monitor configuration integrity as evidence of insufficient risk management under 45 CFR § 164.308(a)(1).

What affected organizations should assess immediately

Practices and health systems using FortiGate devices should work through a short checklist with their IT and security teams:

Firmware version and patch status. Confirm whether running firmware versions are affected by the configuration-file extraction vulnerability. Fortinet has issued advisories; devices not running a patched version remain exposed to fresh extraction attempts even after credential rotation.
Credential rotation. All administrator accounts on affected devices — including service accounts and accounts used for automated management — should be treated as compromised and rotated to new, unique credentials regardless of whether the organization believes it was individually targeted.
Exposure to the public internet. FortiGate management interfaces should not be reachable from the public internet. Organizations that have not restricted management-plane access to internal or VPN-only networks should do so immediately.
Log review. Authentication logs, configuration-change logs, and outbound connection logs from the firewall should be reviewed for the period covering late May through mid-June 2026 and beyond, looking for unexpected administrator logins or configuration exports.
Incident response threshold. If credential compromise cannot be ruled out, organizations should evaluate whether the event triggers their breach risk assessment obligation under the HIPAA Breach Notification Rule. Unauthorized access to a device that controls PHI-carrying network segments may meet the threshold for a reportable incident.

What this signals about network perimeter risk

FortiBleed follows a pattern that has become reliable across several years of healthcare-targeted intrusions: attackers identify a class of widely deployed network appliances, find a method to extract credentials or session tokens without full authentication, and then monetize that access either through ransomware deployment or through sale of working credentials on criminal markets. The same pattern appeared in campaigns against Pulse Secure, Citrix, and earlier Fortinet vulnerabilities.

The scale of this campaign — tens of thousands of devices with verified credentials — suggests that even organizations that were not individually targeted face a materially elevated risk environment. Any organization sharing a firewall vendor and firmware version with confirmed victims is operating in a threat environment where attackers already have demonstrated capability and, in many cases, demonstrated access. Treating firmware patch management and management-plane access restriction as ongoing operational disciplines — rather than periodic tasks — is the structural response the pattern calls for.