FortiGate Appliances Targeted to Steal LDAP Credentials and Breach Networks
These articles are AI-generated summaries. Please check the original sources for full details.
FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials
SentinelOne researchers have identified a campaign where attackers abuse FortiGate Next-Generation Firewalls to extract service account credentials. The activity targets healthcare, government, and managed service providers by exploiting vulnerabilities like CVE-2025-59718. This access enables attackers to map roles to specific users and traverse network zones unrestricted.
Why This Matters
While NGFWs are designed to integrate security controls with authentication infrastructure like Active Directory, this high level of access creates a single point of failure. Attackers who compromise the appliance can decrypt configuration files to obtain service account credentials, effectively bypassing perimeter defenses to enroll rogue workstations directly into the domain. The technical reality shows that the very integration intended to speed up security response can be weaponized to automate lateral movement once the appliance’s local security is bypassed.
Key Insights
- Exploitation of CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858 allows attackers to extract configuration files containing encrypted LDAP credentials.
- Initial Access Brokers established persistence in November 2025 by creating a ‘support’ admin account and unrestricted firewall policies.
- Attackers successfully decrypted the fortidcagent service account credentials to authenticate to Active Directory in February 2026.
- Java-based malware was deployed via DLL side-loading to exfiltrate NTDS.dit and SYSTEM registry hives to the external server 172.67.196.232.
- Threat actors utilized remote access tools like Pulseway and MeshAgent to maintain control and facilitate lateral movement across victim networks.
Practical Applications
- Use Case: Organizations should implement strict monitoring for the creation of unauthorized local administrator accounts and the modification of firewall policies that allow unrestricted zone traversal.
- Pitfall: Storing clear text or easily decryptable LDAP credentials within network appliance configurations can lead to immediate domain-wide compromise if the appliance is exploited.
References:
Continue reading
Next article
From Text to Tables: Feature Engineering with LLMs for Tabular Data
Related Content
Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations
Arctic Wolf reports automated attacks on FortiGate devices leveraging FortiCloud SSO vulnerabilities, resulting in unauthorized firewall changes and configuration theft.
Fortinet Firewalls Hit With Malicious Configuration Changes
Compromised FortiGate devices are experiencing automated malicious SSO logins and configuration data theft.
Fortinet Confirms Active FortiCloud SSO Bypass on Patched Firewalls
Fortinet confirms ongoing exploitation of a FortiCloud SSO bypass (CVE-2025-59718/CVE-2025-59719) even on fully patched FortiGate devices, highlighting SAML vulnerability risks.