Firewalls are supposed to be the ultimate gatekeepers. You set them up, configure your rules, and trust them to keep the bad actors out of your internal network. But what happens when the gatekeeper is actually the one handing over the keys?
According to a newly released March 2026 report from cybersecurity researchers at SentinelOne, threat actors are aggressively targeting FortiGate Next-Generation Firewall (NGFW) appliances. Instead of just bypassing the perimeter, hackers are actively exploiting these devices to breach victim networks and steal highly sensitive service account credentials.
Once they have those credentials, the firewall is no longer a barrier it is a backdoor. The attackers are effectively walking right past your endpoint detection and stepping straight into your Active Directory.
The Initial Breach: How They Get In
Fortinet has been battling a relentless wave of zero-day vulnerabilities over the last year, and attackers are weaponizing them at an alarming rate.
This latest campaign heavily relies on exploiting recently disclosed authentication bypass and access control vulnerabilities specifically CVE-2025-59718, CVE-2025-59719, and the newer CVE-2026-24858. In cases where systems are fully patched, threat actors are simply pivoting to brute-forcing weak credentials on exposed administrative interfaces.
The initial compromise is swift. In one documented incident, hackers breached a FortiGate appliance and immediately created a new local administrator account named "support." They then configured new firewall policies that allowed this rogue account to traverse all network zones without a single restriction. This type of behavior is classic for Initial Access Brokers (IABs) cybercriminals who break in, establish a quiet foothold, and then sell that access to ransomware gangs or state-sponsored espionage groups for a massive profit.
The Ultimate Prize: The Configuration File
Why are FortiGate devices such high-value targets? Because to do their job, they need deep integration with your network's core identity infrastructure.
Many organizations configure their FortiGate appliances to connect directly to Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) for role-based access control and rapid security alert correlation. To make this handshake happen, the firewall stores service account credentials locally in its configuration file.
The attackers know this. Once they compromise the firewall, their primary objective is to quietly extract that exact configuration file. SentinelOne researchers found that attackers were successfully decrypting these files offline to extract the LDAP service account credentials in clear text.
This is a nightmare scenario for any IT team. Service accounts are rarely monitored as strictly as human user accounts, and their passwords are changed far less frequently. By stealing a service account, the attacker essentially gains a VIP pass to your internal directory.
Deep Network Penetration: Moving Laterally
Once the threat actors extract the credentials from the FortiGate appliance, the attack rapidly escalates from a perimeter breach to a full-scale internal takeover.
Using the stolen service account, the attackers authenticate directly to the victim's Active Directory. From there, they have been observed enrolling rogue workstations into the AD environment, which allows them to blend in seamlessly with legitimate network traffic.
In several recent incidents, the hackers did not stop there. They swiftly deployed legitimate remote access management tools like Pulseway and MeshAgent to maintain persistent control. In the final, most devastating stage of the attack, they used a PowerShell script to pull down a custom Java-based malware payload from an Amazon Web Services (AWS) cloud bucket.
This malware, executed via DLL side-loading, was designed to do one thing: exfiltrate the NTDS.dit file and the SYSTEM registry hive. The NTDS.dit file is the absolute crown jewel of a Windows network. It contains the Active Directory database, including all user password hashes. If an attacker gets this file, they effectively own the entire domain.
The Impact Zone
This is not a theoretical threat or an isolated incident. SentinelOne noted that this specific campaign is aggressively singling out high-value environments, particularly in the healthcare sector, government agencies, and Managed Service Providers (MSPs).
MSPs are particularly lucrative targets because compromising a single provider can grant threat actors downstream access to dozens, or even hundreds, of client networks across North America, Europe, and Oceania. The global reach of these attacks proves that relying purely on perimeter defense is no longer a viable security strategy in today's landscape.
How to Defend Your Network Right Now
If your organization relies on FortiGate appliances, you need to assume that your perimeter is actively being probed. Here is exactly what you need to do to lock down your environment immediately:
Patch Immediately: Ensure your FortiOS firmware is updated to protect against CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858.
Restrict Management Interfaces: Never leave your firewall's administrative login portal exposed to the public internet. Restrict access via local-in policies so that only trusted internal IP addresses or secure VPN connections can reach the management page.
Rotate Service Account Credentials: If you suspect your appliance was vulnerable at any point, assume the configuration file was stolen. Rotate the passwords for any Active Directory or LDAP service accounts tied to the firewall.
Audit Active Directory: Check your AD environment for newly enrolled, unrecognized workstations or unauthorized service account activity.
Implement MFA: Enforce Multi-Factor Authentication on all administrative accounts, including local firewall admins.
Firewalls are critical, but they are only one layer of the puzzle. When the gatekeeper is compromised, your internal monitoring is the only thing standing between you and a total network collapse.