Cybersecurity News and Headlines
  • All Technology
  • AI
  • Autonomy
  • B2B Growth
  • Big Data
  • BioTech
  • ClimateTech
  • Consumer Tech
  • Crypto
  • Cybersecurity
  • DevOps
  • Digital Marketing
  • Ecommerce
  • EdTech
  • Enterprise
  • FinTech
  • GovTech
  • Hardware
  • HealthTech
  • HRTech
  • LegalTech
  • Nanotech
  • PropTech
  • Quantum
  • Robotics
  • SaaS
  • SpaceTech
AllNewsDealsSocialBlogsVideosPodcastsDigests

Cybersecurity Pulse

EMAIL DIGESTS

Daily

Every morning

Weekly

Tuesday recap

NewsDealsSocialBlogsVideosPodcasts
HomeTechnologyCybersecurityNewsFortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials
FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials
CybersecurityDefenseHardware

FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials

•March 10, 2026
0
The Hacker News
The Hacker News•Mar 10, 2026

Why It Matters

Compromising FortiGate appliances gives attackers privileged network visibility and direct access to authentication infrastructure, amplifying the risk of lateral movement and data theft across critical sectors. The incidents highlight the urgent need for timely patching and hardened configurations of NGFW devices.

Key Takeaways

  • •FortiGate NGFWs exploited via CVE‑2025‑59718, CVE‑2025‑59719, CVE‑2026‑24858
  • •Attackers stole service‑account credentials from configuration files
  • •Targets include healthcare, government, and managed service providers
  • •Exploits enabled AD authentication and rogue workstation enrollment
  • •Remote‑access tools and AWS PowerShell used for data exfiltration

Pulse Analysis

FortiGate next‑generation firewalls have become a cornerstone of enterprise perimeter defense, offering deep packet inspection, application control, and integrated identity‑based policies. Their central role in routing traffic and interfacing with directory services makes them attractive targets for threat actors seeking a foothold inside protected networks. Recent disclosures of critical vulnerabilities—CVE‑2025‑59718, CVE‑2025‑59719, and CVE‑2026‑24858—expose remote code execution paths that can be leveraged without user interaction. As organizations increasingly rely on these appliances for zero‑trust segmentation, any breach can cascade into widespread credential exposure and lateral movement.

The campaign uncovered by SentinelOne demonstrates a systematic abuse of FortiGate devices to harvest service‑account secrets. Attackers first compromise the firewall via the cited CVEs or weak admin passwords, then download the encrypted configuration file, decrypt it, and retrieve LDAP service‑account credentials. With clear‑text AD credentials, they authenticated to the domain, enrolled rogue workstations, and launched network scans that revealed additional assets. In parallel, the adversaries deployed remote‑access utilities such as Pulseway and MeshAgent, and used PowerShell on AWS to exfiltrate the NTDS.dit database and SYSTEM hive, underscoring a multi‑stage, data‑rich intrusion.

These incidents underscore the imperative for organizations to adopt a layered defense strategy around NGFWs. Immediate actions include applying the latest FortiOS patches, enforcing strong, unique admin passwords, and disabling unnecessary services that expose management interfaces. Continuous monitoring of firewall configuration changes and outbound traffic to cloud storage endpoints can flag anomalous behavior early. Moreover, segregating service‑account privileges and employing credential‑guard solutions limit the damage if a firewall is breached. As the threat landscape evolves, vendors and customers must treat firewalls as critical assets rather than peripheral controls, ensuring rigorous hardening and regular security audits.

FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials

Read Original Article
0

Comments

Want to join the conversation?

Loading comments...