Security researchers confirmed in mid-June 2026 that threat actors are actively harvesting configuration files from internet-facing Fortinet FortiGate firewalls, cracking the password hashes stored in those files, and converting them into working administrator credentials. The campaign, tracked as FortiBleed, has affected devices in 194 countries and produced verified access to an estimated 30,000 to 75,000 firewalls. For healthcare organizations that rely on FortiGate appliances to segment clinical networks or protect remote-access infrastructure, the implications are direct: perimeter devices that administrators believed were secured may already have exposed credentials in the hands of unknown actors.

What the attack does

FortiBleed is not a typical brute-force campaign. Rather than attempting repeated logins, the threat actors are extracting configuration files from devices — files that contain hashed administrator credentials — and cracking those hashes offline, away from any login-attempt monitoring or account-lockout controls.

The result is a credential set that works silently. An attacker holding cracked credentials can authenticate as a legitimate administrator without triggering the anomaly signals that a brute-force attempt would generate. Once inside, access to firewall management consoles typically permits rule modification, VPN configuration changes, and traffic inspection — all of which carry serious implications for environments handling protected health information.

The scale of the campaign suggests automation. Systematically pulling configuration data from tens of thousands of devices across 194 countries in a short window points to scripted, opportunistic harvesting rather than targeted intrusion.

Why healthcare environments face elevated exposure

Healthcare organizations are disproportionately represented among FortiGate customers, particularly in the mid-market and community-hospital segment where the appliances are common perimeter and VPN gateway devices. Many were deployed rapidly during the 2020 telehealth expansion and may not have received consistent firmware maintenance since.

Two structural conditions amplify the risk. First, internet-facing management interfaces — the apparent entry point for configuration-file extraction — are frequently left exposed on healthcare networks where IT staffing is thin and remote management is a practical necessity. Second, password hygiene on network appliances often lags behind the standards applied to end-user accounts: default credentials, shared passwords across devices, and credentials that predate current complexity requirements all remain common findings in healthcare network audits.

The HIPAA Security Rule's technical safeguard requirements include access controls and audit controls that apply to systems handling electronic protected health information. A compromised firewall that sits in front of an EHR or imaging system creates a direct line between an external threat actor and covered data.

What administrators should check immediately

Organizations running FortiGate appliances should treat this campaign as a prompt for immediate verification rather than a wait-and-watch situation. Several concrete steps apply regardless of whether a specific device has been confirmed affected:

• Management interface exposure. Verify that FortiGate management interfaces are not reachable from the public internet. Access should be restricted to dedicated management VLANs or out-of-band networks.
• Credential rotation. All administrator credentials on FortiGate devices should be rotated now. Because the attack cracks hashes extracted from configuration files, credentials that existed before mid-June 2026 should be treated as potentially compromised even if no anomalous login activity has been observed.
• Firmware currency. Confirm devices are running current firmware. Fortinet has issued patches for multiple high-severity vulnerabilities over the past 18 months; unpatched devices carry compounded risk.
• Configuration-file access logging. Review whether the devices log access to configuration exports and whether those logs have been reviewed for anomalous activity in recent weeks.
• Credential uniqueness. Ensure administrator passwords are unique per device and are not reused across other systems in the environment. A cracked hash from one appliance should not open doors elsewhere.

What this signals about the next 12 months

FortiBleed follows a pattern that has accelerated since 2023: threat actors targeting the configuration and credential data stored in network appliances rather than attacking applications or endpoints directly. Similar campaigns have struck Ivanti, Cisco, and Palo Alto devices. The common thread is that perimeter hardware — historically treated as durable infrastructure requiring less active management than software systems — holds persistent secrets that, once extracted, grant access at the network layer.

For healthcare compliance officers, the practical lesson is that network appliance management warrants the same credential-rotation cadence and access-review discipline applied to privileged accounts in clinical systems. The HIPAA Security Rule does not distinguish between an EHR database and the firewall protecting it; both fall within the scope of reasonable and appropriate safeguards when they touch systems that store or transmit protected health information. Organizations that have not recently audited appliance credentials, management-interface exposure, or firmware currency now have a well-documented, active campaign as justification to do so.