FortiGate Firewalls Are Being Weaponized to Steal Your Active Directory Credentials

There's a cruel irony in watching the very devices organizations deploy to protect their networks become the tools attackers use to compromise them. This week, SentinelOne published research documenting an ongoing campaign where threat actors are systematically targeting FortiGate Next-Generation Firewall appliances, exploiting them not just for initial access but to harvest the credentials that unlock everything else.

The targets should raise eyebrows across the managed services industry. Healthcare organizations, government entities, and managed service providers are being singled out by attackers who understand that these environments share a common architectural weakness. FortiGate devices in production environments frequently integrate with Active Directory and LDAP infrastructure to enable role-based access controls and correlate network security events with user identity. It's a sensible design for operational efficiency. It's also a treasure map for anyone who compromises the device.

The attack chain documented by SentinelOne researchers Alex Delamotte, Stephen Bromfield, Mary Braden Murphy, and Amey Patne reveals how attackers are exploiting recently disclosed vulnerabilities including CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858 to gain initial access. In some cases, the entry point is even simpler. Weak credentials and misconfigurations continue to serve as welcome mats for opportunistic threat actors who know that patching cycles in busy organizations often lag behind the disclosure of critical flaws.

One incident analyzed by SentinelOne illustrates the methodical patience of these operations. In November 2025, attackers breached a FortiGate appliance and created a local administrator account named "support," a naming choice designed to blend seamlessly with legitimate administrative accounts. Using this foothold, they configured four new firewall policies that effectively granted unrestricted zone traversal to their backdoor account. What happened next is particularly instructive for anyone trying to understand the economics of modern cybercrime.

The attackers periodically checked back to verify their access remained intact. They weren't rushing toward data exfiltration or ransomware deployment. Instead, their behavior aligned with that of an initial access broker, an increasingly common role in the cybercrime ecosystem where specialists focus exclusively on establishing persistent access to valuable networks and then selling that access to other criminal actors. The actual exploitation came later, in February 2026, when someone extracted the device's configuration file containing encrypted LDAP service account credentials.

Here's where the technical sophistication becomes apparent. The attackers successfully decrypted the configuration file and extracted the service account credentials in cleartext. Evidence showed the attacker authenticating to Active Directory using credentials associated with the fortidcagent service account. This wasn't a theoretical risk or a proof-of-concept demonstration. This was credential extraction from a production security appliance being used to pivot deeper into enterprise infrastructure.

With valid service account credentials in hand, the attackers enrolled rogue workstations in Active Directory, a technique that granted them persistent legitimate-looking access to the victim's environment. Network scanning followed as the attackers mapped out potential targets for lateral movement. Fortunately, the breach was detected at this stage, and containment prevented further escalation. Not every organization will be so lucky.

A second incident investigated in late January 2026 demonstrated even more aggressive post-exploitation behavior. Attackers moved rapidly from firewall compromise to deploying remote access tools like Pulseway and MeshAgent. They leveraged PowerShell to download Java malware from AWS cloud storage infrastructure, then used DLL side-loading techniques to execute their payload. The objective became clear when the malware exfiltrated the contents of the NTDS.dit file and the SYSTEM registry hive to an external server over port 443.

For those unfamiliar with why that combination matters, NTDS.dit is the database file that stores Active Directory data including password hashes for every account in the domain. Combined with the SYSTEM registry hive, an attacker possesses everything needed to perform offline password cracking attacks against the entire organization. SentinelOne noted that while no credential usage from the harvested data was observed before incident containment, the attackers now possess the cryptographic material to attempt password cracking at their leisure.

The implications for managed service providers are particularly severe. MSPs often deploy identical or similar FortiGate configurations across multiple client environments, meaning a vulnerability or misconfiguration discovered in one client's deployment may exist across dozens of others. Attackers who successfully compromise an MSP's management infrastructure could theoretically leverage that access to pivot across an entire client base. This isn't speculation. We've watched similar supply chain dynamics play out repeatedly over the past several years.

What makes this campaign especially concerning is the integration architecture it exploits. Organizations implement LDAP and AD integration on their FortiGate devices because it genuinely improves security operations. Role-based policies become more granular. Incident response becomes faster when security alerts correlate directly with user identity. But that same integration means the device stores credentials with significant privileges, and those credentials become immediately valuable to anyone who extracts the configuration file.

Fortinet has patched the specific vulnerabilities being exploited, but patching alone doesn't address the broader architectural risk. Organizations need to audit their FortiGate deployments with a critical eye toward the privileges granted to any service accounts integrated with the device. Does the LDAP service account really need domain-wide read access? Could it function adequately with more restricted permissions? Every privilege beyond the minimum necessary represents expanded blast radius in the event of compromise.

Beyond privilege minimization, organizations should implement monitoring that can detect the behavioral indicators SentinelOne documented. Creation of unexpected local administrator accounts on network appliances should trigger alerts. New firewall policies permitting unrestricted zone traversal warrant immediate investigation. Authentication events from device service accounts should be logged and anomalies flagged for review.

For MSPs specifically, this campaign underscores the importance of network segmentation between client environments and robust monitoring of management plane access. Shared credentials across client deployments represent catastrophic risk concentration. If an attacker compromises one FortiGate device and discovers that the same administrative credentials work across forty client environments, the security incident transforms from a single-client breach into an existential threat to the business.

The message from SentinelOne's research is clear. Next-generation firewall appliances have become high-value targets precisely because they occupy privileged positions within network architecture. State-aligned espionage actors and financially motivated ransomware operators alike recognize that compromising the network perimeter device often provides the fastest path to the credentials and data they seek. Organizations that treat these devices as set-and-forget infrastructure rather than critical assets requiring continuous monitoring and rapid patch deployment are accepting far more risk than they may realize.

The attackers behind this campaign are sophisticated enough to decrypt FortiGate configuration files, patient enough to maintain access for months before exploitation, and organized enough to monetize their access through the initial access broker marketplace. Defending against adversaries operating at this level requires accepting that your perimeter security devices are themselves targets, not just defenders, and designing your security architecture accordingly.