Security researchers at Arctic Wolf disclosed in mid-June 2026 that threat actors have been systematically pulling configuration files from internet-facing Fortinet FortiGate firewalls and cracking the password hashes stored within them — a campaign now labeled FortiBleed. The result is a pool of verified, working administrator credentials for an estimated 30,000 to 75,000 devices spanning 194 countries. For healthcare organizations that rely on FortiGate appliances as a primary network perimeter control, the implications are immediate: a valid admin credential on a firewall is, functionally, an open door.
What the campaign actually does
FortiBleed is not a novel remote-code-execution exploit in the traditional sense. Instead, attackers are extracting configuration files — which contain hashed credentials — from devices exposed to the public internet, then running offline hash-cracking against those files. Once a hash is cracked, the attacker holds a legitimate credential requiring no further exploitation to use.
The technique is significant because it bypasses many conventional intrusion-detection signals. There is no payload delivery, no malware drop, and no anomalous lateral movement at the moment of credential theft. Detection windows are narrow, and organizations often have no indication of compromise until an attacker logs in and begins operating.
The scale — tens of thousands of verified credentials already in hand across nearly every country — suggests the campaign is either partially automated or has been running quietly for some time before researchers identified it.
Why healthcare networks carry elevated risk
Fortinet FortiGate appliances are widely deployed across hospital systems, large physician groups, and regional health networks as the primary firewall and VPN gateway. Many of those deployments include devices that face the internet directly to support remote-access and site-to-site VPN connectivity — precisely the exposure profile FortiBleed exploits.
Healthcare organizations also tend to run longer patch and firmware-update cycles than other sectors, partly because change-management requirements around clinical systems create scheduling friction. Devices that have not received recent firmware updates are more likely to expose the configuration-file retrieval path that this campaign relies on.
A compromised firewall administrator credential gives an attacker the ability to modify access control lists, disable logging, create new VPN accounts, or pivot directly into internal network segments that host electronic health record systems and other regulated data stores.
What independent practices should check now
The immediate operational priority is confirming whether any FortiGate devices in the environment are internet-facing with management interfaces exposed on public addresses. FortiGate management planes should not be reachable from the public internet under any normal operating condition; if they are, that exposure should be corrected before any other remediation step.
Beyond surface reduction, the relevant controls are:
- Firmware currency. Verify that all FortiGate devices are running current firmware. Fortinet has published guidance on the configuration-file exposure path; check vendor advisories for the specific versions affected.
- Credential rotation. All administrator account passwords on FortiGate devices should be rotated immediately, treating any previously stored credential as potentially compromised.
- Multi-factor enforcement. Administrative access to firewall management interfaces should require a second authentication factor. If that is not currently configured, it is the highest-priority hardening step.
- Log review. Review authentication logs on FortiGate management interfaces for any login events — successful or failed — from unexpected source addresses, particularly in the weeks before the campaign was publicly identified.
- Network segmentation audit. Confirm that the firewall management network is segregated from clinical and patient-data segments, so that even a compromised management credential cannot be used to reach regulated systems directly.
What this signals about the next 12 months
FortiBleed fits a pattern that has accelerated since 2023: attackers targeting network-edge devices — firewalls, VPN concentrators, remote-access gateways — rather than endpoints or applications, because edge devices often carry high-privilege credentials and generate less behavioral telemetry than workstations or servers.
Healthcare organizations that have not yet conducted a formal inventory of internet-facing management interfaces across their network infrastructure are operating with an incomplete picture of their actual attack surface. The FortiBleed disclosures make that inventory work urgent rather than aspirational. The campaign's geographic reach — 194 countries — also makes it implausible for any organization to assume it was not in scope.