FortiBleed campaign extracts working admin credentials from tens of thousands of Fortinet firewalls

Security researchers at Arctic Wolf confirmed in mid-June 2026 that threat actors are actively extracting configuration files from internet-facing Fortinet FortiGate firewalls, cracking the stored credential hashes, and recovering verified working administrator passwords at scale. The campaign, designated FortiBleed, has affected devices in 194 countries, with estimates placing the number of compromised credential sets between 30,000 and 75,000. Fortinet firewall appliances are widely deployed as network perimeter controls across hospitals, physician groups, and health system affiliates, making this campaign directly relevant to covered entities and their business associates.

What the attack does

FortiBleed is not a single exploit against an unpatched vulnerability in the conventional sense. Threat actors are pulling configuration files from FortiGate devices that are reachable from the internet — files that contain hashed administrator credentials — and then cracking those hashes offline. The result is a pool of working admin-level credentials that can be used to authenticate to the management interfaces of affected devices.

The practical consequence is that an attacker holding these credentials can alter firewall rules, disable logging, create backdoor VPN accounts, or redirect traffic — all without triggering the kind of alert that an active intrusion attempt might generate. Because the credential-cracking phase happens off-device, defenders see no authentication failures on the firewall itself before the adversary acts.

Why healthcare networks are a particular concern

Fortinet's FortiGate line is among the most common perimeter firewall and VPN platforms in US healthcare, including in small and mid-size practices that rely on a single appliance to segment their clinical network from the internet. An adversary with administrator access to that device effectively controls what traffic reaches EHR servers, medical imaging systems, and any other resource behind the perimeter.

Healthcare organizations are also frequent targets of ransomware groups that specialize in double-extortion — encrypting data while simultaneously exfiltrating it for threatened disclosure. Compromised firewall credentials are a preferred initial-access method for several groups active against healthcare targets, because perimeter access allows lateral movement before detection tools on endpoint or SIEM platforms have a chance to flag anomalous behavior.

HIPAA's Security Rule requires covered entities to implement technical controls that prevent unauthorized access to electronic protected health information. A firewall whose administrator credentials are in adversary hands cannot reliably serve as that control, and the configuration changes an adversary makes may persist long after the initial intrusion is discovered.

What independent practices should check now

The immediate priority is determining whether any internet-facing FortiGate appliance in the environment was reachable from the public internet during the exposure window and whether its configuration file could have been extracted. Key steps reported by security researchers include:

Credential rotation. All FortiGate administrator accounts — local and LDAP-bound — should have passwords reset immediately, independent of whether compromise is confirmed.
Management interface exposure. FortiGate management interfaces should not be reachable from the public internet. If they are, that access path should be closed or restricted to known management IP ranges without delay.
Configuration file integrity. Reviewing the current running configuration against a known-good baseline can reveal unauthorized rule changes, new VPN accounts, or altered logging settings that may indicate post-compromise activity.
Log review. Authentication logs, VPN session records, and any available firewall management audit trails should be examined for unfamiliar source addresses or off-hours administrative sessions.
Firmware currency. Ensuring the device is running a current, vendor-supported firmware version remains a baseline control regardless of the specific mechanism FortiBleed uses.

What this signals about perimeter security discipline

FortiBleed illustrates a pattern that has become more common over the past two years: campaigns that target the configuration state of network appliances rather than exploiting code vulnerabilities in real time. Because configuration files can be extracted through features that are legitimately present in the device, perimeter firewalls that appear to be functioning normally may already be compromised.

For healthcare compliance officers, the practical implication is that perimeter appliance management deserves the same review cadence applied to endpoint agents and access control lists. Periodic audits of firewall administrator accounts, confirmation that management interfaces are not internet-exposed, and documented procedures for emergency credential rotation are controls that HIPAA risk analyses should address explicitly — not assume. The scale of the FortiBleed credential pool means that even practices with no specific indication of targeting should treat this as an active threat until their environment is confirmed clean.