Security researchers identified an active, large-scale credential compromise campaign in mid-June 2026 targeting Fortinet FortiGate firewalls, which are widely deployed as network perimeter devices across healthcare organizations of every size. Dubbed FortiBleed, the campaign involves systematic extraction of configuration files from internet-facing FortiGate devices, followed by offline cracking of the stored credential hashes. Arctic Wolf researchers estimate that verified, working administrator credentials have been recovered for between 30,000 and 75,000 devices spanning 194 countries — a scale that places the campaign among the more consequential network-infrastructure threats observed this year.

What the attackers are doing

The technique is straightforward and does not require sophisticated exploitation at the point of access. Threat actors are pulling configuration files from exposed FortiGate management interfaces — files that contain hashed administrator credentials — and cracking those hashes offline using standard password-recovery methods. Once cracked, the credentials grant full administrative access to the firewall itself, meaning an attacker can alter routing rules, disable logging, create VPN tunnels, or pivot directly into the protected network segment behind the device.

The geographic spread of 194 countries demonstrates that targeting is opportunistic rather than narrowly focused. Any organization running an internet-facing FortiGate management interface without adequate access controls is effectively in scope for this campaign regardless of sector, size, or location.

Why healthcare environments carry elevated exposure

Fortinet appliances are a common choice for clinic, hospital, and health system network perimeters, partly because of their price point and partly because of feature sets that appeal to organizations managing both clinical and administrative network segments. That prevalence means a non-trivial share of the 30,000 to 75,000 compromised credential sets likely belong to healthcare entities.

For covered entities and business associates, the downstream consequences of a perimeter firewall compromise extend well beyond network disruption. An attacker with administrative control over the firewall sits upstream of every protected health information system on that network — EHRs, imaging archives, lab interfaces, telehealth platforms, and billing systems. A successful follow-on intrusion would almost certainly trigger HIPAA breach notification obligations and potentially OCR investigation, depending on the data accessed.

What the exposure window looks like

Configuration files from FortiGate devices can be obtained through previously disclosed vulnerabilities — including CVE-2022-40684 and the broader set of path-traversal issues disclosed in 2024 — meaning the credential material in circulation may have been harvested weeks or months before the cracking effort surfaced publicly. Organizations that patched affected firmware but did not rotate administrator credentials after prior FortiGate vulnerability disclosures may already have working credentials in threat-actor hands without knowing it.

This delayed-exposure pattern is a recurring problem with credential-based campaigns: the initial collection and the operational use of credentials are separated in time, which means patching alone does not close the risk if credential rotation did not accompany it.

Where independent practices should focus immediately

For smaller practices and independent health systems that manage their own network perimeter equipment, the priority actions are narrow and concrete:

Organizations that rely on managed service providers or managed security service providers for perimeter device management should confirm in writing that the provider has completed credential rotation and firmware verification, and should request log evidence of the check rather than accepting verbal assurance.