FortiBleed campaign extracts working admin credentials from tens of thousands of Fortinet firewalls

Security researchers at Arctic Wolf disclosed in mid-June 2026 that threat actors are conducting a large-scale, systematic campaign against internet-facing Fortinet FortiGate firewalls. The operation, labeled FortiBleed, involves extracting configuration files from exposed devices and cracking the credential hashes stored within them. Estimates place the number of devices with compromised administrator credentials between 30,000 and 75,000, spread across 194 countries. Healthcare organizations represent a significant slice of global FortiGate deployments, making this one of the broader perimeter-security events of the year.

What the campaign actually does

FortiBleed is not a single-exploit intrusion. Threat actors are pulling configuration files from devices that are reachable over the public internet — a condition common in distributed healthcare networks, remote clinic setups, and small-to-midsize practices that manage their own perimeter hardware. Once a configuration file is in hand, credential hashes can be cracked offline, at scale, without further interaction with the target device. The result is a pool of verified, working administrator credentials that can be used for follow-on access at a time of the attacker's choosing.

That sequence matters for healthcare defenders. The initial extraction may generate little or no anomalous traffic, and the cracking happens entirely off-site. By the time an attacker authenticates with a valid credential, nothing in that login event looks unusual to a rule-based monitoring system unless behavioral baselines are in place.

Why healthcare exposure is elevated

Fortinet FortiGate devices are widely deployed as perimeter firewalls and VPN concentrators in healthcare settings, from regional hospital systems to independent physician groups. Many of these deployments share a common risk factor: administrative interfaces left reachable from the internet, often for management convenience or because the device was stood up by a third-party MSP without tightening the default configuration.

Healthcare networks also tend to run firmware update cycles more slowly than other sectors, partly because maintenance windows require coordination with clinical operations. Older FortiOS versions have carried known vulnerabilities that lower the bar for configuration-file extraction. The combination of internet-exposed management planes, delayed patching, and high-value patient data behind the perimeter makes the sector a predictable target once working credentials are circulating.

What independent practices should check

Practices using FortiGate hardware at the perimeter should treat this disclosure as a prompt for several concrete checks:

Management interface exposure. Verify that the FortiGate administrative interface is not reachable from the public internet. Access should be restricted to specific internal IP ranges or require a separate out-of-band management network.
Firmware currency. Confirm the installed FortiOS version against Fortinet's current security advisories and schedule patching through the next available maintenance window.
Credential rotation. Assume that any administrator account whose hash was present in the configuration file may be compromised. Rotate all local administrator passwords and audit which accounts carry admin-level privilege.
MFA enforcement. Administrative access to network perimeter devices should require multi-factor authentication. A cracked password alone should not be sufficient for a successful login.
Log review. Pull authentication logs for the device going back at least 90 days and look for logins from unfamiliar source IPs, logins at unusual hours, or configuration changes that were not authorized through standard change-management processes.

What this signals about the next 12 months

FortiBleed follows a pattern that has become routine against network perimeter hardware: researchers or threat actors identify a method to extract credential material without triggering intrusion detection, build or purchase tooling to operate at scale, and monetize the resulting credential lists through direct exploitation or sale. Similar campaigns have targeted other widely deployed VPN and firewall platforms over the past two years.

For healthcare compliance officers, the operational implication is that perimeter-device hygiene — firmware management, interface hardening, privilege auditing, and MFA enforcement — belongs on the same review calendar as EHR access controls and workforce security training. A breached firewall administrator account provides a starting position from which an attacker can intercept, redirect, or surveil traffic that includes protected health information in transit, and can undermine network segmentation controls that are otherwise required under the HIPAA Security Rule's technical safeguard standards.