Ethical Hacking News
FortiGate devices have been exploited by hackers to gain unauthorized access to victim networks and steal critical service account credentials. This exploit highlights the need for organizations to take a proactive approach to securing their FortiGate devices and overall network security, including ensuring that all software is up-to-date and implementing robust access controls.
FortiGate devices have been exploited by hackers to gain unauthorized access to victim networks and steal critical service account credentials.Attackers used newly disclosed security vulnerabilities or weak credentials to extract configuration files containing sensitive information from FortiGate appliances.The attackers gained initial access by creating a new local administrator account and setting up firewall policies, which allowed the account to traverse all zones without restrictions.The breach involved extracting service account LDAP credentials, authenticating to the victim's environment, enrolling rogue workstations in AD, and deploying remote access tools like Pulseway and MeshAgent.FortiGate devices are vulnerable to exploitation due to their integration with other management features, such as Active Directory (AD), which makes them a high-value target for attackers.The campaign highlights the need for organizations to take proactive steps to secure their FortiGate devices and overall network security, including ensuring software updates and implementing robust access controls.
FortiGate devices, widely used as next-generation firewalls (NGFWs) in enterprise networks, have become a prime target for threat actors seeking to breach sensitive environments. According to recent findings by cybersecurity researchers at SentinelOne, these devices have been exploited by hackers to gain unauthorized access to victim networks and steal critical service account credentials.
The campaign, which began in November 2025 and gained momentum in February 2026, saw attackers leveraging newly disclosed security vulnerabilities or weak credentials to extract configuration files containing sensitive information from FortiGate appliances. This information included network topology details, as well as service account credentials for Active Directory (AD) and Lightweight Directory Access Protocol (LDAP).
In one notable incident, a threat actor breached a FortiGate device in November 2025 by creating a new local administrator account named "support" and using it to set up four new firewall policies that allowed the account to traverse all zones without restrictions. The attackers then periodically checked to ensure the device was accessible, a behavior consistent with an initial access broker (IAB) establishing a foothold and selling it to other criminal actors for monetary gain.
The next phase of the attack involved the attacker extracting the configuration file containing encrypted service account LDAP credentials. They then used these credentials to authenticate to the victim's environment and enroll rogue workstations in AD, allowing them deeper access. Following this step, network scanning was initiated, at which point the breach was detected, and further lateral movement was halted.
In another case investigated in late January 2026, attackers swiftly moved from firewall access to deploying remote access tools like Pulseway and MeshAgent. They also downloaded malware from a cloud storage bucket via PowerShell from Amazon Web Services (AWS) infrastructure. The Java malware used was launched via DLL side-loading and was used to exfiltrate the contents of the NTDS.dit file and SYSTEM registry hive to an external server.
The attackers' actions highlight the vulnerability of FortiGate devices to exploitation, particularly when combined with weak credentials or newly disclosed security vulnerabilities. These devices, while designed to provide strong network monitoring capabilities for organizations, have become high-value targets for a variety of actors with different motivations and skill levels.
According to SentinelOne, these devices are high-value targets because they integrate security controls of a firewall with other management features, such as AD. However, this integration also makes them vulnerable to exploitation by attackers who can leverage this access to map roles to specific users by fetching attributes about the connection being analyzed and correlating with Directory information.
The researchers noted that FortiGate network appliances have considerable access to the environments they were installed to protect, including service accounts connected to AD and LDAP. This setup can enable attackers to use the appliance to fetch attributes from these directories, which is useful in cases where role-based policies are set or for increasing response speed for network security alerts detected by the device.
However, this access also makes FortiGate devices prime targets for exploitation. As SentinelOne noted, "FortiGate network appliances have considerable access to the environments they were installed to protect." This access can be exploited by attackers who break into FortiGate devices through known vulnerabilities or misconfigurations.
The campaign highlights the need for organizations to take a proactive approach to securing their FortiGate devices and overall network security. This includes ensuring that all software is up-to-date, monitoring device configurations closely, and implementing robust access controls to prevent unauthorized access.
In addition, organizations must also be aware of the potential for attackers to use FortiGate devices as entry points to breach sensitive environments. As SentinelOne noted, "NGFW appliances have become ubiquitous because they provide strong network monitoring capabilities for organizations by integrating security controls of a firewall with other management features, such as AD."
However, these devices are high-value targets for actors with a variety of motivations and skill levels. To protect against this threat, organizations must implement robust security measures, including regular vulnerability assessments, penetration testing, and incident response planning.
In summary, the exploitation of FortiGate devices to breach networks and steal service account credentials is a serious threat to enterprise security. Organizations must take proactive steps to secure their devices and overall network security, including ensuring that all software is up-to-date, monitoring device configurations closely, and implementing robust access controls.
The use of FortiGate devices as entry points for attackers highlights the need for organizations to prioritize cybersecurity and implement robust security measures to protect against this type of threat. By taking proactive steps to secure their networks, organizations can reduce the risk of breach and minimize the potential damage caused by such an attack.
Related Information:
https://www.ethicalhackingnews.com/articles/FortiGate-Devices-Exploited-to-Breach-Networks-and-Steal-Service-Account-Credentials-A-Looming-Threat-to-Enterprise-Security-ehn.shtml
https://thehackernews.com/2026/03/fortigate-devices-exploited-to-breach.html
https://cybersecuritynews.com/fortigate-firewalls-hacked/
Published: Tue Mar 10 14:08:07 2026 by llama3.2 3B Q4_K_M
