SentinelOne Unmasks Exploitation of FortiGate Appliances as Gateways to Network Takeover

The SentinelOne Digital Forensics & Incident Response (DFIR) team issued a warning: the very appliances designed to protect organizations are being turned against them. Recent investigations revealed a disturbing trend where FortiGate Next-Generation Firewall (NGFW) appliances were compromised to establish a persistent foothold within corporate environments.

While these firewalls offer robust monitoring by integrating with infrastructure like Active Directory (AD), their deep level of access makes them high-value targets for both state-aligned espionage groups and ransomware actors.

The breaches frequently stem from high-severity vulnerabilities in Fortinet’s authentication and Single Sign On (SSO) mechanisms.

• CVE-2025-59718 & CVE-2025-59719: These flaws allow attackers to bypass cryptographic signature validation. In practice, this means an attacker can send a crafted SSO token to achieve unauthenticated administrative access.
• CVE-2026-24858: A late January patch addressed a vulnerability that permitted attackers to log into FortiGate devices by simply using their own FortiCloud accounts.
• Weak Credentials: Beyond high-tech exploits, many actors are simply scanning for open instances and logging in using common weak credentials.

Once inside, the first order of business is often the extraction of the device configuration file using the show full-configuration command. Because these files use reversible encryption, attackers can easily harvest and decrypt embedded service account credentials.

In one case, a compromise remained undetected for months, suggesting the patient hand of an initial access broker (IAB). After creating a local admin account named support, the actor eventually decrypted the fortidcagent service account to move into the AD.

In a clever display of living-off-the-land, the attacker:

1. Abused the mS-DS-MachineAccountQuota attribute, which by default allows a standard account to join up to 10 workstations to the domain.
2. Joined two rogue workstations (WIN-X8WRBOSKOOF and WIN-YRSXLEONJY2) to gain deeper access with fewer security controls.
3. Conducted massive password spraying attempts and network scanning, which eventually triggered the security alerts that led to their discovery.

Another investigation in late January showed a much more aggressive timeline. Within just 10 minutes of creating a local account on the FortiGate device, the attacker was already logging into servers using a harvested Domain Administrator account.

The actor’s toolkit was extensive:

• RMM Abuse: Legitimate tools like Pulseway and MeshAgent were downloaded from attacker-controlled cloud storage to establish a deep foothold.
• DLL Side-Loading: Malicious DLLs were given the names of legitimate Java files to trick applications into loading malware.
• NTDS Extraction: Using WMIC and makecab, the attacker created a Volume Shadow Copy to extract and compress the NTDS.dit file and SYSTEM registry hive—the keys to the entire domain’s identity.

A recurring obstacle for defenders is the lack of forensic evidence. As SentinelOne noted: “We observed a consistent theme: targeted organizations fail to retain sufficient logs on these appliances, which prevents understanding exactly how and when attackers gained access”.

Furthermore, the rise of Large Language Models (LLMs) is lowering the barrier for entry. These models can readily supply information that facilitates “understanding how to navigate from network appliances deeper into the targeted environment without the knowledge uplift previously required”.