Security researchers at Arctic Wolf disclosed in mid-June 2026 that threat actors had been systematically pulling configuration files from internet-facing Fortinet FortiGate firewalls and cracking the credential hashes stored within them — a campaign now tracked as FortiBleed. The result is a pool of verified, working administrator credentials covering an estimated 30,000 to 75,000 devices in 194 countries. Fortinet firewalls are widely deployed as network perimeter controls across hospitals, physician groups, and healthcare-adjacent vendors, making this campaign directly relevant to covered entities and business associates relying on those devices for access control and network segmentation.

What the campaign does

FortiBleed is not a novel remote-code-execution exploit in the traditional sense. Attackers pull configuration files from exposed management interfaces — files that contain hashed administrator passwords — and then crack those hashes offline. Once cracked, the credentials function as legitimate administrator logins, giving threat actors full control of the firewall without triggering the kind of alerts that a brute-force login attempt would generate.

The offline cracking step is significant: it means the compromise is largely invisible until an attacker actually uses the credentials. Organizations may have no log evidence of unauthorized access during the window between configuration-file theft and credential use.

Why healthcare environments are specifically at risk

Fortinet devices are common in community hospitals, ambulatory surgery centers, and multi-site physician practices that standardized on the platform during a period when it offered competitive pricing for smaller organizations. Many of those deployments have management interfaces accessible from the public internet — a configuration that FortiGate documentation discourages but that is frequently encountered in resource-constrained environments.

A compromised firewall administrator account gives an attacker the ability to alter routing rules, disable logging, create VPN tunnels into the internal network, and suppress intrusion-detection alerts. In a healthcare environment, any of those capabilities is sufficient to stage a ransomware deployment or to establish persistent access to systems that process or transmit protected health information.

What affected organizations should check immediately

Any organization running a Fortinet FortiGate device should treat this campaign as an active threat and prioritize the following actions:

• Verify management interface exposure. Confirm that the FortiGate management interface is not reachable from the public internet. Restrict access to known administrative IP ranges at the network layer.
• Rotate all administrator credentials. Assume that any configuration file that could have been retrieved while the management interface was exposed has been retrieved. Credential rotation should cover all local administrator accounts, not only the primary admin.
• Review firewall and VPN logs for anomalous authentication. Look for successful logins from unfamiliar source IPs or at unusual hours, and for configuration changes that were not authorized through change-management processes.
• Apply current firmware. Fortinet has released patches addressing the underlying vulnerability class. Organizations should confirm they are running a firmware version that closes the configuration-file exposure pathway.
• Audit connected systems. A compromised perimeter firewall should prompt a broader review of internal access controls, particularly for systems that store or process electronic protected health information.

What this signals for the next 12 months

Credential-harvesting campaigns that rely on offline hash cracking rather than active exploitation are harder to detect and easier to scale. The FortiBleed campaign's geographic breadth — 194 countries — reflects automated, opportunistic scanning rather than targeted intrusion, which means smaller practices are as exposed as large health systems if their management interfaces are reachable.

For compliance officers, the more important question is whether the organization's existing incident-response and risk-analysis processes would catch a firewall compromise of this type. HIPAA's Security Rule requires covered entities to evaluate threats to electronic protected health information; a firewall running with an exposed management interface and stale credentials represents a documented, foreseeable risk that should appear in any current risk analysis. Organizations that have not reviewed firewall configuration as part of their annual risk assessment now have a clear prompt to do so.