Recent investigations have revealed an active campaigntargeting FortiGate firewall devices, where attackers gain access to theseappliances to extract service account credentials and pivot deeper intoenterprise networks. Attackers have exploited FortiGate devices to gain administrative access, allowing them to export device configurations and capture sensitive credentials. Compromised appliances serve as a foothold forattackers to move laterally within networks, escalate privileges, and deploymalicious tools or scripts.
How the Compromise Occurs
Exploiting Vulnerabilities and Weak Credentials: unauthorised access is gained through:
- Authentication bypass vulnerabilities in single sign-on (SSO) mechanisms (e.g., CVE‑2025‑59718, CVE‑2025‑59719, CVE‑2026‑24858), which allow attackers to bypass normal login procedures and obtain administrative access.
- Weak, default, or reused administrative passwords, especially on devices exposed to the internet.
Once administrative access is obtained, attackers can export the full device configuration, often revealing embedded credentials for service accounts tied to Active Directory (AD) or LDAP systems.
Impact
Credential Harvesting and Lateral Movement: Extracted configurations may contain service account credentials that enable attackers to:
- Authenticate directly to domain controllers (AD)
- Create or manipulate local administrative accounts
- Enumerate internal systems and network resources
- Move laterally within the network to deploy malware or ransomware
In some cases, attackers can manipulate firewall rules, stage malicious payloads, or exfiltrate sensitive Active Directory data, significantly increasing the potential impact of the breach.
Why This Matters
FortiGate NGFWs are typically deployed at the network perimeter or edge, making them a critical line of defense. When compromised:
- Attackers gain insight into network topology and security configurations
- Authentication infrastructures such as AD or LDAP can be directly targeted
- A perimeter breach can become a foundation for full network compromise
Even high-value security appliances can become attack vectors if vulnerabilities are not addressed or devices are misconfigured.
Recommendations
1. Patch and Update Immediately: Keep FortiOS firmware up to date to fix critical security issues, including authentication bypasses.
2. Secure Administrative Access
- Restrict access to management interfaces; don’t expose GUI or SSH to the internet.
- Use strong, unique passwords and enable multi-factor authentication (MFA).
- Turn off unnecessary features like FortiCloud SSO if not needed.
3. Protect Credentials and Service Accounts
- Change service account passwords regularly.
- Don’t store high-privilege credentials in configuration files.
- Treat exported configurations as sensitive and store them safely.
4. Network Segmentation and Least Privilege
- Keep edge devices separate from internal systems.
- Give admins only the access they need.
.png)
.png)