A campaign researchers are calling FortiBleed has moved beyond theoretical risk: threat actors have been systematically pulling configuration files from internet-facing Fortinet FortiGate firewalls, cracking the credential hashes stored in those files, and accumulating verified working administrator passwords at scale. Arctic Wolf researchers identified the activity in mid-June 2026, estimating that between 30,000 and 75,000 devices are affected across 194 countries. FortiGate appliances are widely deployed as network perimeter controls in hospitals, health systems, and independent practices, making this campaign directly relevant to healthcare security teams.
What the attackers are doing
The technique does not require a zero-day exploit at the point of entry. Attackers are retrieving configuration files from exposed management interfaces — a method that has surfaced in prior Fortinet-related campaigns — and then performing offline hash-cracking against the credential material embedded in those files. Offline cracking removes the attacker from any rate-limiting or lockout controls the device itself might enforce.
Once hashes are cracked, the result is a plain-text administrator credential that can be used to log directly into the firewall. At that level of access, an attacker can modify routing rules, disable logging, create VPN tunnels, or pivot to internal network segments — including those hosting electronic health record systems, medical devices, and clinical workstations.
Why healthcare networks face elevated exposure
Healthcare organizations are disproportionately reliant on perimeter firewalls as a primary control layer. Many smaller and mid-size practices have not implemented network segmentation deep enough to contain damage if the perimeter device itself is compromised. An attacker with firewall administrator access is, in practical terms, an attacker with visibility into the full network topology.
Fortinet devices are also frequently configured and then left with infrequent credential rotation. In environments where the original integration credentials have not changed in years, cracked hashes represent a durable point of entry rather than a time-limited one.
The geographic breadth — 194 countries — signals automated, opportunistic scanning rather than targeted intrusion. That pattern means organizations that consider themselves low-profile are not excluded from exposure.
What security and compliance teams should check immediately
The immediate response priorities for any organization running FortiGate devices fall into four areas:
- Identify internet-facing management interfaces. FortiGate management interfaces should not be directly reachable from the public internet. Any device where the admin panel is exposed should be treated as potentially compromised pending investigation.
- Rotate all administrator credentials. Because the attack extracts credential hashes from configuration files, passwords set before the campaign's active window should be considered suspect. Rotation should cover all admin-level accounts on the device.
- Review configuration files for unauthorized changes. Firewall rules, VPN tunnel definitions, and logging configurations should be audited against a known-good baseline. Changes to outbound logging destinations are a particular indicator of manipulation.
- Examine network logs for lateral movement. If an attacker obtained working credentials, the question is not only whether the firewall was accessed but what the attacker did next. Internal east-west traffic anomalies, unexpected authentication events, and new connections from the firewall's management IP should be investigated.
What this signals for the next several months
Credential-harvesting campaigns against network infrastructure tend to produce delayed consequences. Actors who obtained working credentials in June 2026 may not use them immediately; some will hold access and sell it, while others will use it during a later operation. Healthcare organizations that patch or rotate credentials now but do not verify whether their devices were already accessed during the active campaign window may be leaving an open question about prior compromise unresolved.
The FortiBleed activity also fits a documented pattern in which configuration-file extraction from exposed management interfaces is treated as a low-cost, high-yield reconnaissance method. As long as firewall management interfaces remain internet-accessible, similar campaigns targeting the same or different vendors will recur. The structural fix — restricting management-plane access to out-of-band or VPN-gated paths — addresses the exposure class, not just this specific incident.