Cybersecurity firm SentinelOne has detailed a concerning campaign where threat actors are systematically targeting FortiGate Next-Generation Firewalls (NGFWs) to gain an initial foothold in victim networks. The attackers are exploiting recently disclosed critical vulnerabilities—specifically CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858—or leveraging weak administrative credentials to compromise these perimeter security devices. Once inside, their primary objective is to extract the appliance's configuration files, which contain a treasure trove of sensitive data, including service account credentials and detailed network topology maps. The campaign has shown a distinct preference for high-value sectors, with healthcare organizations, government entities, and managed service providers (MSPs) being disproportionately targeted. This sectoral focus suggests the attackers are likely motivated by data theft, espionage, or the potential for lucrative ransomware deployment.
The inherent power of a compromised FortiGate device lies in its privileged position and integrated functions. As SentinelOne researchers Alex Delamotte, Stephen Bromfield, Mary Braden Murphy, and Amey Patne explain, these firewalls are often granted considerable access to the internal environments they are designed to protect. In many enterprise configurations, FortiGate appliances are integrated with core authentication infrastructure like Microsoft Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) servers. This integration allows the firewall to perform user- and role-based policy enforcement by fetching and correlating user attributes from the directory. While this functionality is crucial for effective security policy management and speeding up alert responses, it becomes a catastrophic liability once the firewall itself is compromised.
The extracted service account credentials and network maps provide attackers with a clear blueprint for lateral movement. With valid domain credentials obtained from the firewall's configuration, threat actors can authenticate to internal systems discreetly, bypassing many perimeter-based detection mechanisms. A detailed incident analysis from November 2025 illustrates the attack chain: after breaching a FortiGate appliance, the attackers created a new local administrator account named "support." They then proceeded to create four new firewall policies that granted this account unrestricted, zone-spanning access across the network. This action effectively turned the security gateway into a wide-open backdoor. The actors then performed periodic checks to ensure the compromised device remained accessible, behavior consistent with an Initial Access Broker (IAB) solidifying a persistent foothold for future sale or use in more extensive attacks.
This campaign underscores several critical lessons for network defenders. First, it highlights the urgent need to patch perimeter devices promptly, especially for critical vulnerabilities in widely deployed products like FortiGate. Second, it reinforces the principle of least privilege; service accounts used by firewalls for directory integration should have strictly limited permissions, sufficient only for their specific query functions. Third, network segmentation is paramount. A compromised firewall should not have a direct, unimpeded path to all critical assets. Finally, robust monitoring for anomalous configuration changes on network security appliances—such as the creation of new local accounts or unexpected firewall rules—is essential for early detection. As firewalls evolve into sophisticated, interconnected policy engines, they also become high-value targets. Protecting them requires a security-in-depth approach that goes beyond relying on them as an impenetrable barrier.
