Key Findings:

• Attackers are exploiting vulnerabilities or weak credentials in FortiGate Next-Generation Firewall (NGFW) devices to gain initial access to corporate networks.

• Once inside, the attackers extract configuration files containing service account credentials and information about the internal network structure.

• The campaign appears to target sectors such as healthcare, government agencies, and managed service providers.

• Attackers have abused features like Single Sign-On (SSO) and role mapping to gain unauthorized admin access to the FortiGate devices.

Background

Next-generation firewalls (NGFWs), like FortiGate, are widely used because they combine strong network security with features like Active Directory integration. This makes them high-value targets for attackers, from state-sponsored espionage groups to financially motivated criminals.

Exploitation of Vulnerabilities

Attackers have exploited vulnerabilities such as CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858 to gain unauthenticated admin access to the FortiGate devices. These flaws allowed them to bypass authentication and access sensitive configuration data.

Abuse of Credentials and Features

In some cases, the attackers were able to create local admin accounts on the FortiGate devices, modify firewall policies, and periodically check for access. They then used the extracted configuration files, which contained encrypted LDAP service account credentials, to authenticate to Active Directory and enroll rogue workstations, gaining deeper network access.

Deployment of Malware and Tools

In another incident, the attackers created admin accounts, deployed remote access tools like Pulseway and MeshAgent, and used PowerShell and DLL side-loading to execute malware. They also staged malicious payloads on cloud storage and used PsExec to move laterally within the network.

Exfiltration of Sensitive Data

In one case, the attackers made a backup of the main domain controller, extracted the NTDS.dit file and SYSTEM registry data, compressed them, and uploaded them to their servers. This allowed them to potentially crack passwords and gain further access.

Recommendations

Organizations should secure NGFWs by enforcing strong administrative controls, keeping software patched, and maintaining adequate log retention (at least 14–90 days). Logs should be sent to a SIEM system to detect anomalies and enable automated responses to neutralize threats quickly.

Sources

• https://securityaffairs.com/189241/security/attackers-exploit-fortigate-devices-to-access-sensitive-network-information.html

• https://thehackernews.com/2026/03/fortigate-devices-exploited-to-breach.html

• https://www.linkedin.com/posts/brian-mcelhare-2903673_600-fortigate-devices-hacked-by-ai-armed-activity-7435685656263135232-nQvo