A large-scale credential compromise campaign targeting Fortinet FortiGate firewalls — dubbed FortiBleed by researchers at Arctic Wolf — was identified in mid-June 2026 and is actively ongoing. Threat actors have been extracting configuration files from internet-facing devices and cracking stored password hashes, producing verified working administrator credentials for an estimated 30,000 to 75,000 firewalls spread across 194 countries. Healthcare organizations that rely on FortiGate appliances for network perimeter control are directly exposed, given how widely the hardware is deployed across hospitals, physician groups, and health system branch sites.

What the campaign does

FortiBleed is not a brute-force operation. Attackers are pulling configuration files — which contain hashed credentials — directly from exposed management interfaces and then cracking those hashes offline. The result is a list of fully functional administrator usernames and passwords that can be used to log into affected devices without triggering typical failed-authentication alerts.

That mechanism matters for healthcare IT teams because it bypasses one of the most common compensating controls: account lockout and login-failure monitoring. By the time an organization's security monitoring flags unusual activity, an attacker may already have persistent access to the firewall itself — the device that governs which traffic reaches clinical systems, EHR servers, and networked medical equipment.

Why healthcare environments are particularly exposed

Firewalls in healthcare settings frequently sit in front of far more than general office traffic. They protect connections to electronic health record systems, medical imaging archives, laboratory interfaces, and remote-access pathways used by clinicians. Administrator-level access to a firewall gives an attacker the ability to redirect traffic, disable inspection rules, create VPN tunnels out of the network, or stage a ransomware deployment without early detection.

Many smaller and independent practices purchase enterprise-grade firewall hardware but do not have dedicated staff to apply firmware updates or rotate administrative credentials on a defined schedule. Devices running older FortiOS releases — particularly those that were previously affected by known configuration-exposure vulnerabilities — are considered highest risk in this campaign.

What the exposure means operationally

The geographic breadth of FortiBleed — 194 countries — signals that this is an automated, opportunistic sweep rather than a targeted intrusion. That does not reduce the risk to any individual organization. Opportunistic campaigns monetize access indiscriminately, and healthcare records and network access have consistent resale value in criminal markets.

Key operational considerations for practices running FortiGate hardware:

What this signals about the next 12 months

FortiBleed follows a pattern that has repeated across major network-device vulnerabilities over the past several years: a configuration or authentication flaw in widely deployed hardware, slow patch adoption across the installed base, and eventual mass exploitation before most organizations have applied mitigations. The 30,000-to-75,000 device estimate likely represents only the devices researchers have directly confirmed; the actual number of organizations with extractable configurations may be higher.

For compliance officers, this campaign also raises a documentation question. HIPAA's Security Rule requires covered entities to protect electronic protected health information from reasonably anticipated threats. A known, active, named campaign targeting the specific hardware model protecting a practice's network creates a documented and foreseeable risk — one that will appear in any post-incident investigation. Practices that have not yet reviewed their network perimeter device inventory, patched status, and credential hygiene should prioritize doing so before a breach event forces the review.