FortiBleed campaign yields verified admin credentials for up to 75,000 firewalls worldwide

Security researchers identified an active, large-scale credential compromise campaign against Fortinet FortiGate firewalls in mid-June 2026, extracting configuration files from internet-facing devices and cracking stored credential hashes. Researchers estimate the operation — now tracked as FortiBleed — has produced verified, working administrator credentials for between 30,000 and 75,000 devices spanning 194 countries. FortiGate appliances are widely deployed as perimeter firewalls and VPN endpoints across independent physician practices, regional hospital systems, and healthcare-adjacent vendors, making the campaign directly relevant to covered entities and business associates that have not yet audited their exposure.

What the campaign does

Threat actors behind FortiBleed are not exploiting a single zero-day but are instead systematically harvesting configuration files from devices exposed to the public internet. Those configuration files contain hashed administrative credentials. Once extracted, the hashes are cracked offline and the resulting plaintext passwords are validated against live devices.

The approach is notable because it bypasses detection controls that look for brute-force login attempts. Because the credential cracking happens entirely off-device, there is no failed-login noise to trigger alerts. By the time an adversary authenticates, they are presenting a valid username and password — activity that looks, to most logging systems, like a routine administrative session.

Verified credentials at the firewall administrator level grant access to device configuration, VPN user databases, network segmentation rules, and — depending on how a practice's infrastructure is arranged — potentially a path into clinical systems behind the perimeter.

Why healthcare networks face elevated risk

Healthcare organizations are disproportionately dependent on perimeter firewalls as a primary boundary between clinical networks and the internet. Many smaller and mid-sized practices have not implemented the internal segmentation or zero-trust controls that would limit what an attacker with valid firewall credentials could reach.

FortiGate devices are also common at managed service providers and IT vendors that serve multiple healthcare clients under a single administrative pane. A single compromised MSP-managed device can represent exposure across a portfolio of covered entities, each with its own HIPAA obligations and breach-notification timelines. Business associate agreements do not transfer the operational risk; they only assign contractual responsibility after a breach has occurred.

The HIPAA Security Rule's access control standard (45 C.F.R. § 164.312(a)) requires covered entities to assign unique user identification and establish procedures for obtaining access to electronic protected health information. Shared or default administrative credentials on network perimeter devices — a finding common in post-breach forensics — would represent a failure of that standard if ePHI is reachable through the compromised device.

What independent practices should check now

The immediate priority is determining whether any FortiGate appliance in the organization's environment — including devices managed by a third-party IT vendor — is internet-facing with a management interface exposed on a public IP address.

Key steps consistent with the current threat:

Audit exposed management interfaces. Any FortiGate administrative interface reachable from the public internet should be treated as potentially compromised until credentials are rotated and configuration files are reviewed for unauthorized changes.
Rotate all administrative credentials. Cracked credentials may have been valid for weeks before the campaign was publicly identified. Credential rotation should treat existing passwords as already known to adversaries.
Review VPN user databases stored on affected devices. FortiGate SSL-VPN configurations frequently store or cache user credentials. If those credentials are reused across clinical applications or Active Directory, the exposure extends well beyond the firewall itself.
Demand confirmation from IT vendors and MSPs. Business associates with administrative access to perimeter devices should provide written confirmation that their managed appliances were not among those harvested, and that credentials have been rotated.
Check firewall configuration for unauthorized rule changes. Administrator-level access allows silent modification of access control lists, VPN split-tunnel rules, and logging destinations. Configuration drift since the campaign's estimated start date should be treated as suspect.

What this signals for the next 12 months

FortiBleed is consistent with a pattern researchers have documented across several recent campaigns: adversaries are moving from opportunistic exploitation of publicly disclosed CVEs toward systematic, lower-noise harvesting of credentials embedded in device configurations. The technique scales well and produces reliable access without triggering the patch-urgency response that a headline vulnerability generates.

For compliance officers, the practical implication is that patch currency alone is insufficient as a perimeter control measure. The harvested configuration files in FortiBleed appear to have come from devices that were not necessarily unpatched — they were simply exposed. Regular review of which management interfaces are reachable from the internet, combined with enforced credential rotation schedules and multi-factor authentication on administrative accounts, addresses the attack surface that this campaign exploited regardless of which firewall vendor is in use.