FortiBleed campaign extracts working admin credentials from tens of thousands of Fortinet firewalls

A campaign researchers are calling FortiBleed has exposed working administrator credentials for between 30,000 and 75,000 Fortinet FortiGate firewall deployments worldwide, according to analysis published by Arctic Wolf in mid-June 2026. Threat actors extracted configuration files from internet-facing devices and cracked the stored password hashes offline, yielding valid credentials without triggering the kind of interactive login activity that most monitoring tools would flag. For healthcare organizations that rely on FortiGate appliances at the network perimeter, the exposure represents a direct path to the internal segments that carry protected health information.

What the attack chain looks like

The method is structurally significant because the credential theft itself is passive. Attackers did not brute-force live login interfaces; they collected configuration files — which contain hashed credentials — and processed those hashes off-device. That separation means the compromise phase generated little or no authentication-failure telemetry on the targeted firewalls.

Once working credentials are in hand, an attacker holds authenticated access to the firewall management plane: the ability to alter routing rules, disable logging, open new access paths, or pivot deeper into whatever network the device protects. In a clinical environment, that perimeter device often separates the public internet from EHR infrastructure, imaging systems, and connected medical devices.

Why healthcare environments carry elevated exposure

Fortinet holds a material share of the mid-market firewall installed base, a segment that includes the independent hospitals, multi-site physician groups, and outpatient specialty centers that form the core of community healthcare delivery. Many of those organizations operate with lean IT teams and long appliance refresh cycles, both of which increase the window between a vulnerability disclosure and an actual configuration or firmware update.

Configuration files containing credential hashes can be exposed through a range of vulnerabilities, including several older FortiOS path-traversal and SSL-VPN flaws that have been catalogued in prior years. Organizations that patched the initial vulnerability but never rotated the credentials stored in the configuration at the time of exposure remain at risk — the hash, once obtained, can be cracked regardless of subsequent patches.

What practices with FortiGate devices should verify now

The immediate priority is authentication hygiene rather than a broader infrastructure review. Specific items to confirm:

Credential rotation. Any FortiGate device that was internet-facing during a period when a known configuration-extraction vulnerability was unpatched should have all administrator account passwords reset, even if the device has since been patched.
Management-plane exposure. Firewall management interfaces should not be reachable from the public internet. Where they currently are, access should be restricted to defined administrative source addresses immediately.
Firmware currency. Devices running FortiOS versions with known configuration-disclosure CVEs are still actively targeted. Patch status should be confirmed against Fortinet's current advisory list.
Log review for authentication anomalies. Organizations should examine FortiGate authentication logs and any upstream SIEM data for successful logins from unexpected source addresses or at unusual times, particularly in the weeks preceding this disclosure.

What this signals for perimeter security discipline

FortiBleed follows a pattern that has recurred with perimeter network devices across multiple vendors over the past several years: a vulnerability that allows unauthenticated file or configuration retrieval, followed by delayed organizational response, followed by a secondary campaign that capitalizes on credentials harvested during the initial exposure window. The lag between vulnerability and credential rotation is where the persistent risk lives.

For HIPAA-covered entities, a compromised firewall administrator account is a security incident that triggers breach-risk analysis obligations regardless of whether the attacker subsequently accessed PHI. Incident response plans should account for network-device credential compromise as a distinct scenario, with documented procedures for containment, evidence preservation, and the risk assessment that determines notification obligations.