Firewall Fortress Falls: Inside the Sophisticated Exploitation of FortiGate Devices
Subtitle: A new wave of cyberattacks reveals how hackers are turning trusted firewalls into launchpads for deep network breaches.
When the very walls meant to guard your digital castle become the entry point for attackers, the consequences are nothing short of catastrophic. Recent investigations have uncovered a disturbing pattern: FortiGate firewalls-deployed worldwide to defend corporate networks-are being hijacked by cybercriminals to breach, surveil, and plunder organizations from the inside out.
Anatomy of a Breach: How Attackers Slip Past the Perimeter
The most recent wave of attacks, detailed by SentinelOne researchers, centers on vulnerabilities in Fortinet’s Single Sign-On (SSO) features-specifically CVE-2025-59718, CVE-2025-59719, and the newly patched CVE-2026-24858. By exploiting these flaws, hackers bypass authentication and seize administrative privileges on targeted firewalls.
Once inside, attackers issue a command to download the firewall’s configuration file. FortiOS, the underlying operating system, stores these files with reversible encryption-meaning the credentials hidden within are easily decrypted. The prize? Service account passwords that unlock the victim’s Active Directory, the nerve center of enterprise identity and access.
SentinelOne’s incident responders have tracked two major attack approaches:
- The “support” account campaign (Late 2025–Feb 2026): Attackers create a bogus local admin account, steal LDAP credentials, and join rogue workstations to the network. These machines are then used for password spraying and reconnaissance, often with tools like SoftPerfect Network Scanner.
- The “ssl-admin” campaign (Jan 2026): Hackers create a new admin account on the firewall, hijack a Domain Administrator, and deploy legitimate remote management software (Pulseway, MeshAgent). Disguised as Java updates, these tools exfiltrate the NTDS.dit file-the crown jewel of Active Directory secrets-using cloud storage to evade security controls.
Poor Logging: The Weak Link in Defense
A recurring theme across incidents is inadequate log retention. Many organizations fail to collect or preserve firewall logs long enough to trace how attackers gained entry, giving adversaries ample time to erase their tracks.
Security experts urge immediate patching of FortiGate devices and recommend forwarding all logs to a centralized SIEM for real-time analysis. Maintaining at least 14 days of logs (ideally 60–90) is critical. Monitoring for suspicious admin account creation and unexpected configuration downloads can provide early warnings, while reviewing Active Directory for rogue computer objects may reveal deeper compromise.
As attackers become more adept at abusing trusted infrastructure, the lesson is clear: security must extend beyond the perimeter, and vigilance starts with the devices meant to keep us safe.
WIKICROOK
- Single Sign: Single Sign-On (SSO) lets users access multiple services with one login, simplifying access but increasing risk if credentials are compromised.
- Active Directory: Active Directory is Microsoft’s system for managing users, devices, and permissions across enterprise networks, centralizing access and security controls.
- Password Spraying: Password spraying is a cyberattack where a few common passwords are tried across many accounts to avoid detection and bypass account lockout mechanisms.
- SIEM (Security Information and Event Management): SIEM is software that collects and analyzes security data from across an organization to detect threats and help manage cybersecurity incidents.
- NTDS.dit: NTDS.dit is the main database file in Active Directory, storing user accounts, group info, and password hashes for a Windows domain.
The FortiGate firewall saga is a stark reminder that even our best defenses can be turned against us. As attackers innovate, so too must defenders-starting with the basics of patching, logging, and relentless monitoring. In the escalating war for control of the network, complacency is the true vulnerability.




