Hackers Exploit FortiGate Firewalls in Widespread Attacks to Steal Network Credentials

Cybersecurity defenders are warning of a surge in network breaches linked to compromised FortiGate Next-Generation Firewalls (NGFWs), with threat actors actively exploiting vulnerabilities to gain administrative access, steal credentials, and establish long-term persistence within enterprise networks.

Incident responders at SentinelOne recently identified multiple attacks targeting Fortinet firewall appliances exposed to the internet.

In these incidents, attackers exploited weaknesses in Fortinet’s Single Sign-On (SSO) mechanisms to retrieve sensitive configuration data and pivot deeper into internal environments.

Exploited FortiGate Vulnerabilities

Threat actors are primarily abusing several FortiGate vulnerabilities, including CVE-2025-59718, CVE-2025-59719, and the recently patched CVE-2026-24858.

These flaws allow unauthorized users to bypass authentication controls and gain administrative-level access to vulnerable firewall devices.

Once access is obtained, attackers execute a simple command that downloads the firewall’s full configuration file.

The extracted configuration file contains critical operational data, including service account credentials used to authenticate against enterprise services.

FortiOS configuration files rely on reversible encryption, which enables attackers to decrypt the stored credentials with relative ease.

This exposes sensitive authentication details, including LDAP and Active Directory service account credentials, allowing attackers to authenticate directly to the domain infrastructure.

In addition to exploiting vulnerabilities, investigators observed attackers scanning exposed FortiGate devices and attempting logins using weak or default credentials, indicating a combination of vulnerability exploitation and brute-force tactics.

Security researchers identified two separate intrusion campaigns following the initial compromise of FortiGate devices.

In the first campaign, active between late 2025 and February 2026, attackers created a malicious local administrator account named “support” on compromised firewalls.

Using stolen LDAP service account credentials, the attackers leveraged default Active Directory configurations to join two rogue workstations to the domain.

By registering these attacker-controlled machines within the network, the threat actors gained expanded access while avoiding certain security restrictions typically applied to external systems.

The compromised machines were then used to conduct network reconnaissance and credential attacks.

Investigators observed attackers performing large-scale password spraying and network enumeration using SoftPerfect Network Scanner to identify additional targets and weak accounts.

A second incident observed in January 2026 followed a more aggressive post-exploitation path. Attackers created another malicious firewall account named “ssl-admin” and quickly escalated privileges by compromising a Domain Administrator account.

Within minutes, the attackers deployed legitimate Remote Monitoring and Management (RMM) tools, including Pulseway and MeshAgent, to maintain remote access to the compromised environment.

To evade detection, the malicious payloads were disguised as Java software updates. Attackers hosted these payloads on trusted cloud services such as Google Cloud Storage and Amazon Web Services S3 buckets, allowing the activity to blend with normal network traffic.

The attackers ultimately extracted the NTDS.dit database, the core repository containing all Active Directory credentials and secrets, using Volume Shadow Copy backups.

Additionally, Windows registry values were modified to conceal the presence of the installed remote management tools.

Mitigation and Defensive Measures

Investigators highlighted poor log retention practices as a recurring factor in many of the incidents. In several cases, firewall logs had been overwritten before security teams could identify the original compromise.

Security experts recommend several defensive actions:

• Apply the latest Fortinet patches immediately to address the exploited vulnerabilities.
• Forward firewall and network logs to a centralized Security Information and Event Management (SIEM) platform in real time.
• Maintain a log retention period of at least 14 days on edge devices, though 60 to 90 days is strongly recommended.
• Monitor firewall audit logs for unexpected configuration downloads.
• Track FortiGate log IDs related to unauthorized administrator account creation.
• Monitor Windows Event ID 4741 on domain controllers to detect rogue computer accounts being joined to the domain.
• Investigate computer objects missing Service Principal Names (SPNs), which may indicate malicious activity.

Improving visibility and log retention across edge devices can significantly reduce attacker dwell time and enable faster incident detection.

Indicators of Compromise (IOCs)

Domains

• ndibstersoft[.]com
• neremedysoft[.]com
• fastdlvrss[.]s3[.]us-east-1[.]amazonaws[.]com

IP Addresses

• 185.156.73[.]62
• 185.242.246[.]127
• 193.24.211[.]61

Malicious URLs

• hxxps://fastdlvrss[.]s3[.]us-east-1[.]amazonaws[.]com/paswr.zip
• hxxps://storage.googleapis[.]com/apply-main/windows_agent_x64[.]msi

Threat Actor Accounts

• ssl-admin – FortiGate administrative account created during Incident 2
• support – FortiGate administrative account created during Incident 1

Suspicious Windows Hostnames

• WIN-1J7L3SQSTMS
• WIN-X8WRBOSK0OF
• WIN-YRSXLEONJY2

Organizations using FortiGate devices are urged to review firewall configurations, monitor authentication activity, and immediately patch vulnerable systems to prevent similar intrusions.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Hackers Exploit FortiGate Firewalls in Widespread Attacks to Steal Network Credentials appeared first on Cyber Security News.