FortiBleed campaign extracts working admin credentials from tens of thousands of firewalls globally

Researchers at Arctic Wolf disclosed in mid-June 2026 that threat actors had been systematically pulling configuration files from internet-facing Fortinet FortiGate firewalls and cracking the password hashes stored inside them. The result, according to the disclosure, is a pool of verified, working administrator credentials covering devices in 194 countries — with affected device counts estimated between 30,000 and 75,000. FortiGate appliances are among the most widely deployed perimeter firewalls in US healthcare, making the campaign a direct concern for hospitals, health systems, and independent practices that use the devices to segment clinical networks and protect electronic protected health information.

What the attackers actually did

The technique is straightforward but consequential. FortiGate devices exposed to the internet store configuration data that includes hashed administrator credentials. Attackers in this campaign extracted those configuration files at scale, then ran offline cracking operations against the hashes. Offline cracking is not subject to account-lockout controls — the attacker works entirely outside the device — so even moderately complex passwords can be recovered given enough compute time.

Once cracked, those credentials give an attacker full administrative access to the firewall: the ability to open ports, disable logging, create VPN tunnels, or pivot directly into the network segment behind the device. In a healthcare environment, that segment typically contains EHR servers, medical imaging systems, and other infrastructure whose compromise would trigger HIPAA breach-notification obligations.

The campaign's geographic breadth — 194 countries — signals automation rather than targeted intrusion. Researchers characterize it as a systematic sweep of all internet-reachable FortiGate devices, not a campaign directed at any particular sector. Healthcare organizations should not interpret the broad scope as evidence they are unlikely to be affected; mass-scale sweeps capture every reachable device indiscriminately.

The structural exposure for healthcare networks

FortiGate appliances appear at the perimeter of a large share of US healthcare networks, including many independent and specialty practices that adopted the platform during telehealth expansion and are not running dedicated security operations staff. Several factors compound the risk in that segment:

Default or weak administrator passwords. Smaller practices frequently deploy firewall appliances with vendor-supplied default credentials or passwords that were set at implementation and never rotated. Those hashes crack quickly.
Internet-facing management interfaces. Firewall management consoles left reachable from the public internet — rather than restricted to internal management VLANs — are the prerequisite for this class of attack. HIPAA's Security Rule technical-safeguard requirements implicitly require limiting such exposure, but audit findings consistently show the restriction is often skipped in smaller environments.
Delayed patching cycles. Healthcare organizations running FortiGate on a standard IT patching calendar — quarterly or longer — may be running firmware versions with known vulnerabilities that assisted the configuration-file extraction stage of this attack.

What the HIPAA Security Rule requires here

The HIPAA Security Rule does not mandate any specific firewall brand or configuration, but its requirements map directly onto the controls that would reduce exposure from FortiBleed. The access-control standard (45 CFR 164.312(a)) requires unique user identification and emergency-access procedures; shared or default admin accounts violate that standard. The audit-control standard (164.312(b)) requires hardware and software activity recording — logging that attackers disabled on compromised devices would satisfy that requirement only if the logs were being shipped off-device in real time to an external system. The integrity standard (164.312(c)) requires protection against improper alteration of ePHI, which is undermined when an attacker with admin firewall access can alter routing or access rules silently.

Covered entities and business associates that have not yet confirmed whether their FortiGate devices were exposed should treat that verification as an immediate priority, not a scheduled maintenance item. OCR has cited failure to conduct timely risk analysis following known threat disclosures as a contributing factor in civil-money-penalty determinations.

Where independent practices should focus first

The most time-sensitive actions following this disclosure fall into three areas:

Confirm management-interface exposure. Determine immediately whether the firewall's administrative interface is reachable from the public internet. If it is, restrict access to a defined internal IP range or a dedicated out-of-band management network.
Rotate all administrative credentials. Assume any credential stored in a configuration file on an internet-exposed device is compromised. Rotation should apply to every local account on the device, not only the primary admin account.
Review firmware version and apply available patches. Fortinet has issued advisories related to the configuration-exposure vector; organizations should verify they are running a patched firmware release and confirm that automatic update mechanisms, if available, are enabled and functioning.

Organizations that cannot complete these steps internally should engage a qualified managed security provider or healthcare IT consultant. The credential pool created by FortiBleed will be circulated and sold; the window between disclosure and active exploitation of cracked credentials is typically short.