FortiBleed campaign extracts credentials from tens of thousands of Fortinet firewalls worldwide

A campaign researchers have named FortiBleed, identified in mid-June 2026, involves threat actors systematically pulling configuration files from internet-facing Fortinet FortiGate firewalls and cracking the credential hashes stored within them. Arctic Wolf researchers confirmed the operation has produced working administrator credentials for between 30,000 and 75,000 devices globally. Because FortiGate appliances are common perimeter controls at hospitals, physician groups, and specialty practices, the campaign carries direct implications for covered entities that rely on these devices to segment clinical networks and restrict access to systems holding protected health information.

What the attack does

FortiBleed is not a novel zero-day exploit in the traditional sense. Attackers extract configuration files — which contain hashed administrator passwords — from devices reachable over the public internet, then crack those hashes offline. The result is a list of verified, working credentials that can be used to authenticate to the firewall's management interface without triggering the kind of brute-force alerts that repeated failed login attempts would generate.

The campaign's scale distinguishes it. Credentials for tens of thousands of devices across 194 countries represent a ready-made access inventory that threat actors can use directly or sell to ransomware affiliates. Healthcare organizations are attractive secondary targets: they hold large volumes of sensitive records, frequently carry cyber insurance, and face strong operational pressure to restore systems quickly.

Why this matters for clinical environments

Firewall appliances sit at a critical point in most practice network architectures. Administrative access to a perimeter firewall allows an attacker to alter routing rules, disable logging, open inbound ports, or pivot directly into internal network segments where EHR servers and medical devices operate. In a healthcare context, that kind of access could satisfy the "network access" phase of a ransomware kill chain before a single endpoint is touched.

Practices that have not segmented their management plane — meaning the interface used to administer the firewall is reachable from the same network as clinical workstations, or worse, from the public internet — face the greatest immediate exposure. Credential theft against a device whose management port is internet-exposed produces a much shorter path to a material breach than credential theft against an internally managed appliance.

What administrators should check now

The immediate operational question is whether any FortiGate devices in the environment are or were recently internet-facing on their management interfaces. Specific steps worth taking:

Audit management interface exposure. Confirm that administrative access to all firewall appliances is restricted to dedicated out-of-band management networks or explicit allow-listed IP addresses, and is not reachable from the public internet.
Rotate credentials regardless of known compromise. Because the FortiBleed campaign harvests hashes for offline cracking, an organization may not know its credentials have been compromised until they are used. Treating all FortiGate administrator passwords as potentially exposed is the appropriate response.
Review firmware and configuration. Fortinet has previously issued guidance on hardening FortiGate configurations against credential extraction. Confirm devices are running vendor-current firmware and that any known configuration hardening recommendations have been applied.
Check authentication logs for anomalous administrative sessions. Successful logins from unfamiliar IP addresses or at unusual hours against the management interface warrant immediate investigation.
Enable multi-factor authentication on management access. MFA on administrative interfaces substantially reduces the value of stolen credentials, even when the underlying password has been compromised.

What this signals about network perimeter risk

The FortiBleed campaign is the latest in a pattern of threat activity that targets network infrastructure itself rather than endpoints or applications. Attackers have recognized that perimeter devices — firewalls, VPN concentrators, remote access gateways — often receive less frequent credential rotation and patch attention than servers and workstations, yet carry administrative authority over the entire network.

For healthcare organizations, the HIPAA Security Rule's technical safeguard requirements around access controls and audit controls apply to the systems that protect ePHI, not just the systems that store it. A compromised firewall that allows unauthorized access to a clinical network is a Security Rule event, not merely an IT operations problem. Organizations that discover evidence of unauthorized administrative access to perimeter devices should treat the incident as a potential breach and initiate their incident response procedures accordingly.