FortiGate Edge Intrusions Lead to Deep Network Compromise, Rogue Workstations
Published
Key Takeaways
- Initial Compromise: Threat actors are exploiting Fortinet vulnerabilities and weak credentials to extract configuration files and service account credentials from FortiGate appliances.
- Post-Exploitation Tactics: Attackers use stolen credentials to join rogue workstations to AD, deploy Remote Monitoring and Management (RMM) tools, and exfiltrate NTDS.dit files.
- Critical Risk: These intrusions pose severe cybersecurity risks, as compromised edge devices serve as gateways for deep lateral movement and Active Directory compromise.
Recently disclosed Fortinet vulnerabilities and weak credentials have been exploited by threat actors to gain initial access, as incident response teams have identified a series of sophisticated network intrusions originating from compromised FortiGate Next-Generation Firewall (NGFW) appliances. Once administrative control is achieved, attackers extract the device's configuration file.Â
Because FortiOS uses reversible encryption, these files can be decrypted to extract embedded service account credentials, often for Active Directory (AD) or LDAP. This initial compromise of a perimeter device provides a direct pathway into the core of a target's network.
FortiGate Edge Intrusions, Attacker Post-Exploitation Techniques
Following the initial FortiGate edge intrusions, attackers have demonstrated consistent post-exploitation TTPs (Tactics, Techniques, and Procedures), according to a recent SentinelOne analysis.Â
In one observed incident, the compromise remained undetected through February 2026, at least since late November 2025. Threat actors accessed the appliance and created a new local administrator account to create new firewall policies that allowed the account to traverse all zones, following a pattern consistent with an initial access broker (IAB).
The actor used stolen service account credentials to abuse the mS-DS-MachineAccountQuota attribute and join two rogue workstations to the victim's domain.Â
In another case, investigated in late January, an attacker leveraged compromised AD administrator credentials to log in to servers, deploy the legitimate RMM tools Pulseway and MeshAgent, and exfiltrate the NTDS.dit file, which contains all AD password hashes.
Cybersecurity Risks and Mitigation
The compromise of edge security appliances presents severe cybersecurity risks. To mitigate these threats, organizations should ensure FortiGate appliances are fully patched, enforce strong administrative access controls, and retain logs for at least 14 days on NGFW appliances like FortiGate.
Additionally, implementing centralized logging through a Security Incident & Event Management (SIEM) system is critical. This enables detection of anomalous logins, suspicious configuration downloads, and unauthorized account creation, providing an immutable audit trail.
In January, 15,000 FortiGate devices were compromised as hackers leaked VPN credentials and configurations. Also, a critical Fortinet authentication bypass vulnerability, tracked as CVE-2026-24858, was observed being actively exploited, enabling attackers to access customer devices by abusing FortiCloud Single Sign-On (SSO) trust mechanisms by failing to validate cryptographic signatures.
In late February, Amazon reported that a Russian-speaking threat actor exploited fundamental security misconfigurations to compromise over 600 FortiGate firewalls across more than 55 countries between January and February 2026. Report lst week suggested CyberStrikeAI was deployed in the attacks – an open-source AI testing framework.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular