ATTACKERS are exploiting FortiGate devices to breach networks and harvest configuration data that may contain service account credentials and internal network details, according to SentinelOne. The researchers say attackers gain initial access by exploiting vulnerabilities or weak credentials in FortiGate appliances, then extract configuration files containing encrypted LDAP service account credentials and information about the network structure.
The campaign targets sectors including healthcare, government agencies, and managed service providers, with FortiGate appliances often integrated with AD and LDAP for role mapping and rapid responses. CVEs referenced in the report include CVE-2025-59718, CVE-2025-59719 and CVE-2026-24858, which facilitated unauthorised admin access or login via FortiCloud SSO; however, some intrusions occurred without exploiting a vulnerability.
In one analysed incident, attackers created local admin accounts, modified firewall policies, and extracted configuration files before decrypting credentials to authenticate to Active Directory and enrol rogue workstations. The report also notes that NGFWs are high-value targets for a range of actors, and recommends ensuring strong admin controls, patched software, and log retention of at least 14 days, ideally 60–90 days, with logs sent to a SIEM for rapid anomaly detection.