A large-scale credential compromise campaign targeting Fortinet FortiGate firewalls — dubbed FortiBleed by researchers at Arctic Wolf — came to light in mid-June 2026, with threat actors systematically pulling configuration files from internet-exposed devices and cracking the stored password hashes inside them. Estimates place the number of devices with verified, working administrator credentials between 30,000 and 75,000, spread across 194 countries. Healthcare organizations that rely on FortiGate appliances for network perimeter control are directly exposed to this campaign, because a cracked administrator credential gives an attacker the same level of access as the organization's own network team.

What the attackers are doing

The technique does not require exploiting an unknown vulnerability in real time. Instead, threat actors are harvesting configuration files from FortiGate devices that are reachable from the public internet — files that contain hashed administrator credentials — and then cracking those hashes offline at scale. Once cracked, the credentials can be used to log in directly to the management interface of the firewall.

The scale distinguishes this campaign from routine opportunistic scanning. Tens of thousands of devices with confirmed working credentials represent a ready-made inventory that attackers can sell, use for initial access brokerage, or deploy as a staging network for subsequent intrusions. Healthcare organizations represent a high-value segment of that inventory because of the sensitivity of the data held behind those perimeter devices and the operational pressure that discourages downtime during incident response.

Why this matters specifically for healthcare networks

Firewall appliances sit at the boundary between clinical networks and the internet, often controlling access to EHR systems, medical imaging archives, connected medical devices, and remote-access infrastructure for telehealth and staff VPN. Administrator-level control of that boundary device allows an attacker to create new accounts, alter routing rules, disable logging, or establish persistent tunnels — all before touching any internal system that a security information platform would detect.

Healthcare organizations also tend to run long device-refresh cycles. An appliance purchased five or six years ago and running firmware from that era may carry known configuration weaknesses that make hash cracking faster or that store credentials in a format more susceptible to offline attack. The combination of internet-exposed management interfaces and infrequent firmware discipline creates a durable attack surface.

What independent practices should check

The immediate priority is identifying whether any FortiGate management interface is reachable from the public internet. Management consoles should be accessible only through a dedicated out-of-band management network or, at minimum, restricted to a narrow allowlist of administrative IP addresses — never exposed to the general internet.

Beyond access restrictions, three checks are directly relevant to this campaign:

• Firmware and configuration review. Devices should be running current, vendor-supported firmware. Configuration files should be audited to confirm that stored credentials meet current hashing standards and that no default or legacy accounts remain active.
• Credential rotation. Because the campaign targets hashed credentials stored in configuration files, any device that may have had its configuration file exposed — through prior vulnerability, misconfiguration, or backup mishandling — should have all administrator credentials rotated immediately.
• Logging and alerting on management-plane activity. Authentication events against the management interface should be forwarded to a centralized log system with alerting on anomalous login times, source IPs, or failed-then-succeeded patterns that may indicate credential stuffing with a recently cracked password.

What this signals about the next 12 months

The FortiBleed campaign fits a pattern that has been building since 2023: attackers treating network edge devices — firewalls, VPN concentrators, secure access gateways — as the primary entry point rather than end-user phishing. These devices are often excluded from the patch-and-monitor discipline applied to servers and workstations, and their management interfaces carry privileges that, once compromised, make the rest of the network largely transparent to an attacker.

For compliance officers at independent practices, the practical consequence is that HIPAA's technical safeguard requirements for access control and audit controls apply to network infrastructure, not just to application-layer systems handling protected health information directly. A compromised firewall is a compromised access control mechanism, and OCR enforcement history shows that perimeter failures are scrutinized during breach investigations regardless of where the PHI ultimately resided.