FortiBleed campaign extracts working admin credentials from up to 75,000 Fortinet firewalls worldwide

Security researchers at Arctic Wolf disclosed in mid-June 2026 that threat actors are actively extracting configuration files from internet-facing Fortinet FortiGate firewalls and cracking the stored credential hashes found inside them. The campaign, named FortiBleed, has produced verified, working administrator credentials for an estimated 30,000 to 75,000 devices spread across 194 countries. Fortinet firewalls are among the most widely deployed perimeter devices in healthcare settings, making the scale of the compromise directly relevant to hospitals, health systems, and independent practices that rely on them for network segmentation and remote-access control.

What the attackers are doing

The FortiBleed technique centers on unauthorized access to FortiGate configuration files, which store credential hashes for administrative accounts. Once extracted, those hashes are cracked offline — a process that does not trigger standard intrusion-detection alerts on the targeted device itself. The result is a pool of valid administrator credentials that can be used to reconfigure firewalls, disable logging, open VPN tunnels, or pivot deeper into internal networks without triggering the initial-access alarms most organizations monitor.

The campaign is described as systematic and large-scale rather than targeted at specific industries or geographies, which means healthcare organizations are exposed by default rather than by deliberate selection. Devices that appear uncompromised on the surface may already have credentials in adversary hands.

Why healthcare exposure is elevated

Fortinet FortiGate appliances are common at the network perimeter of physician groups, community hospitals, and specialty clinics, often providing both firewall and SSL-VPN functions for remote clinical staff. A successful credential-based takeover of one of these devices could allow an attacker to intercept traffic flowing between clinical workstations and EHR systems, disable security controls ahead of a ransomware deployment, or establish persistent access that survives routine patching cycles.

Healthcare organizations also tend to run longer device-refresh cycles than financial or technology sector peers, which increases the likelihood that affected appliances carry older firmware versions. Configuration files on older firmware may store credentials in hash formats that are faster to crack, compressing the window between file extraction and usable credential recovery.

What the compromise path means for network defenders

The offline nature of hash cracking is the defining operational challenge here. By the time an organization detects anomalous administrator login activity, working credentials may already have been in adversary hands for days or weeks. Standard perimeter log review will not surface the extraction event unless the organization specifically monitors for unauthorized configuration-file reads or unexpected API calls to management interfaces.

Several immediate actions warrant attention for any organization running FortiGate devices:

Rotate administrator credentials now. Assume any FortiGate device with a management interface exposed to the internet during the past several weeks may have had its configuration file accessed and its credential hashes extracted.
Audit management interface exposure. FortiGate management and SSL-VPN interfaces should not be reachable from the public internet without additional access controls. Where direct internet exposure exists, it should be restricted immediately.
Review firmware versions. Devices running outdated firmware should be assessed for the specific hash-storage characteristics that make cracking faster, and patching timelines accelerated accordingly.
Check for anomalous admin sessions. Log review should extend backward several weeks to identify any administrator sessions originating from unexpected IP ranges or occurring outside normal operational hours.
Verify logging integrity. An attacker with administrative access may have disabled or redirected logs. Confirming that firewall logs remain intact and consistent is a precondition for trusting any absence-of-evidence conclusion.

What this signals about perimeter device risk

FortiBleed fits a pattern that has intensified over the past two years: large-scale, automated harvesting of credentials and configuration data from perimeter appliances, followed by deferred exploitation once a sufficient inventory of working access has been assembled. Earlier campaigns against Citrix, Ivanti, and Palo Alto Networks appliances followed a similar arc, and healthcare organizations were frequently among those hardest hit in the exploitation phase.

The lesson from those incidents is that the window between credential acquisition and active exploitation is unpredictable. Organizations that treated those earlier campaigns as low-priority because they saw no immediate intrusion activity later discovered that access had been quietly maintained for months. Treating FortiBleed as an active intrusion scenario — rather than a theoretical future risk — is the more defensible approach given the scale of confirmed credential recovery the researchers have documented.