A large-scale campaign targeting Fortinet FortiGate firewalls has produced verified, working administrator credentials for tens of thousands of internet-facing devices, according to findings published by Arctic Wolf in mid-June 2026. Dubbed FortiBleed, the campaign involves systematic extraction of device configuration files followed by offline cracking of the credential hashes stored within them. The breadth — 194 countries, up to 75,000 affected devices — makes this one of the more consequential firewall-credential events in recent years, and healthcare organizations that rely on FortiGate appliances for perimeter defense should treat it as an active threat requiring immediate attention.

What the attackers are doing

The attack chain does not depend on a single new vulnerability so much as it exploits the way FortiGate devices expose configuration data to unauthenticated or minimally authenticated requests. Threat actors pull configuration files from internet-facing appliances, extract the hashed administrator credentials embedded in those files, and crack them offline — a method that requires no interactive login and therefore generates limited real-time alerting.

The result is a large inventory of confirmed, working credentials. Possession of those credentials gives an attacker direct administrative access to the firewall itself: the ability to modify routing and access-control rules, create new accounts, disable logging, and establish persistent footholds inside the network the device is meant to protect.

Why healthcare networks face elevated risk

Firewalls of this class are common at hospitals, physician groups, imaging centers, and other covered entities. They frequently sit at the boundary between clinical networks — where EHR systems, PACS servers, and medical devices operate — and the public internet. A compromised administrator account on a perimeter firewall can nullify network-segmentation controls that an organization has spent years building, because an attacker with admin rights can simply rewrite the rules.

Healthcare environments also tend to have longer patch and configuration-review cycles than financial-services peers, partly because maintenance windows must work around clinical operations. That lag matters here: devices that have not had their configurations audited recently may be carrying the same credential hashes that attackers are already cracking.

What independent practices should check

The immediate priority is determining whether any FortiGate appliances in the environment are internet-facing and, if so, whether they have been hardened against configuration-file exposure. Practices should focus on three areas:

What this signals about the next 12 months

The FortiBleed campaign illustrates a pattern that has accelerated: attackers increasingly target network infrastructure devices rather than end-user endpoints, because a single compromised appliance can provide durable access to everything behind it. Configuration-file theft and offline hash-cracking require no malware on the target device, produce no endpoint-detection alert, and are difficult to spot without purpose-built monitoring of management-plane activity.

For compliance officers, the event is a reminder that HIPAA's Security Rule technical-safeguard requirements — particularly those governing access controls and audit controls under 45 CFR §§ 164.312(a) and 164.312(b) — apply to network infrastructure as directly as they do to application-layer systems. A firewall whose administrator credentials are unknown to the attacker is a safeguard; one whose credentials are already in an attacker's spreadsheet is not. Periodic credential rotation, restricted management-interface exposure, and log-based detection of privileged-account activity are the controls most directly relevant to the threat FortiBleed describes.