FortiBleed campaign extracts admin credentials from up to 75,000 Fortinet firewalls globally

Security researchers identified an active campaign in mid-June 2026 that has systematically pulled configuration files from internet-facing Fortinet FortiGate firewalls and cracked the stored credential hashes inside them. Dubbed FortiBleed, the operation has produced verified, working administrator credentials for an estimated 30,000 to 75,000 devices spanning 194 countries. Healthcare organizations that use FortiGate appliances as perimeter firewalls or VPN gateways are directly in the affected population.

What the attack does

FortiBleed is not a single intrusion — it is a harvesting operation conducted at scale. Threat actors obtain configuration files from devices exposed to the internet, then run offline password-cracking against the credential hashes those files contain. The result is a ready-made list of administrator usernames and passwords that can be used for direct, authenticated access.

The significance of administrator-level access is hard to overstate for clinical environments. A firewall with compromised admin credentials can be reconfigured to permit inbound connections, disable logging, create rogue VPN tunnels, or serve as a pivot point into systems that hold electronic health records and medical devices.

Why healthcare networks face elevated risk

Healthcare organizations operate some of the largest per-facility firewall deployments of any industry vertical, often with appliances at hospital campuses, clinic sites, and remote-worker VPN endpoints all managed under a single administrative pane. A single cracked credential set can therefore open multiple sites simultaneously.

Clinical environments also carry a specific compliance dimension. Under the HIPAA Security Rule, covered entities and business associates must implement technical controls — including access controls, audit controls, and transmission security — across all systems that touch protected health information. A firewall whose administrative account has been compromised represents a failure point for each of those requirements, not just a network risk.

The immediate control priorities

Organizations running FortiGate appliances should treat this campaign as an active threat and move quickly on a short list of controls:

Credential rotation. All administrator account passwords on FortiGate devices should be changed immediately, prioritizing internet-facing appliances and VPN concentrators.
Multi-factor authentication on administrative interfaces. If MFA is not already enforced for firewall administration, enabling it closes the most direct path from a cracked hash to a logged-in attacker.
Configuration file access review. Determine whether configuration exports have been restricted and whether any unauthorized configuration downloads appear in device logs.
Management interface exposure. Administrative interfaces that are reachable from the public internet should be restricted to specific management IP ranges or moved behind a jump host entirely.
Patch and firmware currency. Review current firmware versions against Fortinet's published advisories; prior FortiGate vulnerabilities were used in earlier credential-extraction campaigns, and devices running unpatched firmware face compounding risk.

What this signals for perimeter security discipline

FortiBleed follows a pattern seen repeatedly in healthcare-targeting campaigns over the past three years: attackers exploit the gap between when a vulnerability or misconfiguration becomes known and when organizations complete remediation across all their devices. Large, geographically distributed healthcare systems are particularly susceptible to that lag because appliance inventories are harder to audit comprehensively.

The campaign also illustrates a broader shift in attacker methodology. Rather than deploying ransomware immediately upon access, threat actors are now building verified credential inventories that can be monetized later — sold, used for follow-on access, or held in reserve. That means an organization may not observe any active attack activity even while its credentials are already in adversary hands. Proactive credential rotation and administrative access audits are the only controls that address that silent-compromise window.