Tuesday 07 July 2026 03:37:07 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

Cloud, SaaS & Identity Security

Firewall or Front Door? FortiGate Breaches Expose Organizations to Credential Heists

Published: 11 March 2026 01:06Category: Cloud, SaaS & Identity SecurityAuthor: LOGICFALCON

Subtitle: Cybercriminals are exploiting FortiGate firewalls to infiltrate networks, steal service account credentials, and outmaneuver traditional defenses.

When the security system becomes the source of the breach, every organization should take notice. In a wave of sophisticated attacks, hackers have turned FortiGate Next-Generation Firewall (NGFW) appliances-devices meant to guard the gates-into unwitting accomplices, leveraging vulnerabilities and weak passwords to gain deep access, steal sensitive credentials, and potentially sell access to the highest bidder.

According to cybersecurity firm SentinelOne, attackers are focusing their efforts on FortiGate appliances, which often have privileged access to authentication infrastructure such as Active Directory (AD) and Lightweight Directory Access Protocol (LDAP). These connections, essential for legitimate network monitoring and policy enforcement, are now being weaponized by threat actors who exploit known vulnerabilities (such as CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858) or simply guess weak passwords left by careless administrators.

One November 2025 breach saw attackers create a new local admin account called “support” and install firewall policies that allowed unrestricted movement across network zones. The attackers maintained periodic access, consistent with the tactics of initial access brokers-cybercriminals who establish footholds in networks and sell that access to others for profit.

The attack escalated in February 2026 when configuration files containing encrypted service account credentials were stolen. The perpetrators managed to decrypt these files, extract clear-text LDAP credentials, and use them to authenticate to the victim’s AD environment. With this access, they enrolled rogue workstations, paving the way for deeper compromise and lateral movement.

In another incident, attackers quickly pivoted from firewall access to deploying remote access tools and malware, leveraging cloud services to download malicious payloads. The goal: exfiltrate critical data, including the NTDS.dit file (which contains hashed AD credentials) and the SYSTEM registry hive, to external servers. While evidence suggests attempts to crack passwords, the breach was detected before attackers could fully exploit the harvested data.

These incidents highlight a sobering truth: NGFW appliances, while powerful, are high-value targets for both espionage and financially motivated cybercrime. Their deep integration into network infrastructure means that a single breach can cascade across an organization’s digital landscape, compromising not just perimeter defenses but the very heart of identity and access management.

As organizations rush to patch vulnerabilities and reassess their firewall configurations, the lesson is clear: security devices are only as strong as their weakest link. When the guardians of the network are themselves compromised, the consequences can be catastrophic-making vigilance and proactive defense more critical than ever.

WIKICROOK

  • FortiGate: FortiGate is Fortinet’s security appliance line, providing firewall, VPN, and unified threat management for robust enterprise network protection.
  • Active Directory (AD): Active Directory (AD) is a Microsoft service that centralizes user access, authentication, and security policy management across computer networks.
  • LDAP: LDAP is a protocol that manages user information and permissions, enabling secure login and access control in many corporate systems.
  • Initial Access Broker (IAB): An Initial Access Broker is a cybercriminal who breaks into systems and sells that access to others, enabling further cyberattacks.
  • NTDS.dit: NTDS.dit is the main database file in Active Directory, storing user accounts, group info, and password hashes for a Windows domain.