FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials

Source: The Hacker News

Cybersecurity researchers are calling attention to a new campaign where threat actors are abusing FortiGate Next‑Generation Firewall (NGFW) appliances as entry points to breach victim networks.

The activity involves the exploitation of recently disclosed security vulnerabilities or weak credentials to extract configuration files containing service account credentials and network topology information, SentinelOne said in a report published today. The security outfit said the campaign has singled out environments tied to healthcare, government, and managed service providers.

“FortiGate network appliances have considerable access to the environments they were installed to protect,” security researchers Alex Delamotte, Stephen Bromfield, Mary Braden Murphy, and Amey Patne said. “In many configurations, this includes service accounts which are connected to the authentication infrastructure, such as Active Directory (AD) and Lightweight Directory Access Protocol (LDAP).”

[Image: Fortinet exploit]

How the Abuse Works

The researchers note that attackers can exploit FortiGate devices through known vulnerabilities (e.g., CVE‑2025‑59718, CVE‑2025‑59719, CVE‑2026‑24858) or misconfigurations. Once inside, they can:

1. Create privileged accounts – In one incident, attackers breached a FortiGate appliance in November 2025, created a local administrator account named support, and added firewall policies that allowed unrestricted traversal across zones.
2. Extract configuration files – In February 2026, an attacker extracted a configuration file containing encrypted LDAP service‑account credentials.
3. Leverage stolen credentials – The attacker authenticated to AD using clear‑text credentials from the fortidcagent service account, decrypted the configuration file, and used the service account to enroll rogue workstations in the domain, enabling deeper access.
4. Conduct lateral movement and data exfiltration – After gaining foothold, the threat actor performed network scanning, deployed remote‑access tools (e.g., Pulseway, MeshAgent), and downloaded Java malware from an AWS bucket via PowerShell. The malware, launched through DLL side‑loading, exfiltrated the NTDS.dit file and the SYSTEM registry hive to an external server (172.67.196[.]232) over port 443.

“Evidence demonstrates the attacker authenticated to the AD using clear text credentials from the fortidcagent service account, suggesting the attacker decrypted the configuration file and extracted the service account credentials,” SentinelOne said.

Notable Incidents

November 2025 – Initial Compromise

• Attackers created a local admin account support.
• Four new firewall policies were added, granting unrestricted zone traversal.

February 2026 – Credential Harvesting

• Configuration file containing encrypted LDAP credentials was extracted.
• Service‑account credentials were used to enroll rogue workstations and expand access.

Late January 2026 – Malware Deployment

• Remote‑access tools (Pulseway, MeshAgent) were installed.
• Java malware, delivered via DLL side‑loading, exfiltrated NTDS.dit and SYSTEM hive.

Impact and Recommendations

NGFW appliances are attractive targets because they sit at the intersection of network monitoring and identity management. Their compromise can expose:

• Service‑account credentials tied to AD/LDAP.
• Detailed network topology and configuration data.
• Paths for lateral movement and data exfiltration.

Mitigation steps recommended by SentinelOne include:

• Patch promptly – Apply updates for known CVEs (e.g., CVE‑2025‑59718, CVE‑2025‑59719, CVE‑2026‑24858).
• Review configurations – Disable unnecessary services, enforce strong authentication, and limit privileged accounts.
• Monitor configuration changes – Alert on creation of new admin accounts or firewall policies.
• Secure service accounts – Use strong, rotating passwords and restrict their scope.
• Network segmentation – Isolate firewall management interfaces from the data plane.

“NGFW appliances have become ubiquitous because they provide strong network monitoring capabilities for organizations by integrating security controls of a firewall with other management features, such as AD,” the report concluded. “However, these devices are high‑value targets for actors with a variety of motivations and skill levels, from state‑aligned actors conducting espionage to financially motivated attacks such as ransomware.”