Cybercriminals Exploit FortiGate Firewalls to Infiltrate Networks and Steal Credentials
Cybersecurity experts have identified a sophisticated campaign where attackers are leveraging vulnerabilities in FortiGate Next-Generation Firewall (NGFW) appliances to gain unauthorized access to networks. These breaches have primarily targeted sectors such as healthcare, government, and managed service providers.
FortiGate devices are integral to network security, often interfacing with authentication infrastructures like Active Directory (AD) and Lightweight Directory Access Protocol (LDAP). This integration allows the appliances to map user roles and enhance response times for security alerts. However, this deep access also presents a significant risk if exploited.
In one documented incident from November 2025, attackers compromised a FortiGate appliance by creating a local administrator account named support. They then established firewall policies that permitted unrestricted movement across network zones. The attackers maintained periodic access checks, a tactic often associated with initial access brokers who sell network access to other malicious entities.
By February 2026, the attackers had extracted configuration files containing encrypted LDAP service account credentials. Evidence indicates they decrypted these files to obtain clear-text credentials, which were then used to authenticate to the AD environment. This access enabled them to enroll unauthorized workstations into the AD, facilitating deeper network infiltration. The breach was eventually detected during subsequent network scanning activities, halting further lateral movement.
Another case from January 2026 revealed that attackers, after gaining firewall access, deployed remote access tools such as Pulseway and MeshAgent. They also utilized PowerShell scripts to download malware from cloud storage hosted on Amazon Web Services (AWS). This Java-based malware, executed via DLL side-loading, exfiltrated sensitive data, including the NTDS.dit file and SYSTEM registry hive, to an external server over port 443.
These incidents underscore the critical importance of securing FortiGate appliances. Organizations are urged to:
– Regularly Update Firmware: Ensure that all FortiGate devices are running the latest firmware versions to mitigate known vulnerabilities.
– Enforce Strong Authentication: Implement robust authentication mechanisms, such as multi-factor authentication, to prevent unauthorized access.
– Monitor Network Activity: Continuously monitor network traffic for unusual patterns that may indicate a breach.
– Restrict Administrative Access: Limit administrative privileges to essential personnel and regularly review access logs for anomalies.
By adopting these proactive measures, organizations can enhance their defense against sophisticated cyber threats targeting network infrastructure.
