Active FortiGate NGFW Campaign: Service Account Credential Extraction

Key Takeaways

This research note addresses a forensically documented intrusion campaign in which threat actors exploited authentication bypass vulnerabilities in FortiGate next-generation firewalls (NGFWs) to extract LDAP service account credentials stored in device configuration files, then leveraged those credentials to compromise victim Active Directory environments. SentinelOne’s Digital Forensics and Incident Response (DFIR) team published primary technical analysis in March 2026 documenting multiple intrusions targeting healthcare organizations, government agencies, and managed service providers (MSPs) spanning from November 2025 through at least March 2026 [1].

The distinguishing technical element of this campaign is exploitation of CVE-2026-25815, a design characteristic of FortiOS in which LDAP credentials stored within configuration files are encrypted using a static key that is identical across all FortiOS installations worldwide [2]. An attacker who obtains any FortiGate configuration file — possible once administrative access is achieved via any of several authentication bypass vulnerabilities — can decrypt those credentials offline without requiring any per-device secret. In the documented incidents, decrypted service account credentials provided direct authenticated access to victim Active Directory environments, in one case enabling domain controller compromise and full NTDS.dit exfiltration within ten minutes of initial FortiGate access.

Organizations operating FortiGate devices that integrate with Active Directory or LDAP should treat this as an immediate credential rotation event, independent of patching status.

Background

FortiGate NGFWs from Fortinet are widely deployed across enterprise, healthcare, government, and MSP environments as perimeter security appliances. Their deep integration with directory services — particularly LDAP and Active Directory — is central to how these devices enforce identity-based access policies and VPN authentication. Firewall policy rules reference AD group memberships, SSL-VPN portals authenticate against domain credentials, and FortiGate’s FortiDC Agent service account performs ongoing LDAP queries to keep policy enforcement synchronized with directory state. This integration means that a FortiGate configuration file is not merely a network configuration artifact: it is a credential store with direct pathways into the organization’s identity infrastructure.

Fortinet products accumulated twelve CISA KEV entries from the 2024–2026 period alone, spanning multiple critical authentication bypass vulnerabilities exploited as zero days before public disclosure [3][4][5][6]. The CISA Known Exploited Vulnerabilities (KEV) catalog reflects remediation deadlines ranging from one week to thirty days across these entries [3], timelines CISA calibrates based on assessed exploitation severity and agency remediation capacity. This note builds on a prior CSA analysis of the AI-assisted mass FortiGate exploitation campaign from early 2026 [7]; the current campaign is distinct in its emphasis on credential extraction and Active Directory pivoting rather than broad device enumeration.

Security Analysis

The incident details in the following sections derive principally from SentinelOne’s published DFIR analysis [1] and have not been independently corroborated. That context should be held in mind when assessing the specificity of command sequences, timing, and attacker infrastructure described below.

The Authentication Bypass Foundation

The documented campaign relied on a cascade of authentication bypass vulnerabilities to achieve initial administrative access to FortiGate management interfaces. Three vulnerabilities are central to the 2025–2026 wave. CVE-2024-55591, carrying a CVSS score of 9.8, allows a remote unauthenticated attacker to obtain super-administrator privileges on FortiOS and FortiProxy through crafted requests to the Node.js websocket module exposed by the management interface [4]. This vulnerability was exploited as a zero day before its January 2025 disclosure; in the aftermath, a threat actor identifying as ‘Belsen Group’ published stolen FortiGate configurations from affected organizations on the dark web — a mass disclosure that security researchers estimated affected approximately 15,000 devices.

CVE-2025-59718, also rated CVSS 9.8, introduced an authentication bypass via improper cryptographic signature verification in the FortiCloud SSO SAML implementation, enabling unauthenticated administrative access without valid credentials [5]. A companion vulnerability, CVE-2025-59719, addressed a related authentication weakness in the same FortiCloud SSO implementation and was patched in the same FortiOS releases [9]. Malicious SSO logins exploiting these vulnerabilities were observed beginning December 12, 2025, and CISA added CVE-2025-59718 to the KEV catalog on December 16, 2025, with a one-week remediation deadline [3][16][17]. CVE-2026-24858 extended the FortiCloud SSO compromise surface further: an attacker holding a FortiCloud account with a single registered device could authenticate to other users’ devices registered under separate accounts, a cross-device bypass that persisted even on systems fully patched against the two prior SAML vulnerabilities [6]. Fortinet’s emergency response involved temporarily disabling FortiCloud SSO globally on January 26, 2026 [6].

Sources: CISA KEV Catalog [3], NVD [4][5][8][18], Fortinet PSIRT [9]

Credential Extraction via Static Encryption Key

Once administrative access was established through any of the above authentication bypasses, the attack sequence proceeded through a consistent pattern documented in the SentinelOne DFIR investigation [1]. Authenticated attackers executed the show full-configuration command via the FortiGate CLI or downloaded the configuration file through the management GUI. This file contains the complete device configuration: firewall policies, VPN configurations, user account definitions, and critically, LDAP authentication server configurations including stored service account credentials.

CVE-2026-25815 identifies the root cause of why those stored credentials are recoverable by any attacker who obtains any FortiGate configuration from anywhere [2]. FortiOS encrypts LDAP credentials in configuration files using a static encryption key that is identical across every FortiOS installation worldwide. Fortinet disputes the CVE classification, characterizing “private data encryption” as a non-default feature that customers should enable manually — but the practical effect is that the default configuration of FortiOS devices stores directory service credentials in a form that any party with knowledge of the global static key can decrypt offline [2]. The SentinelOne analysis confirmed that attackers in the documented campaign decrypted credentials for the fortidcagent service account — the FortiGate domain controller agent account used for Active Directory LDAP queries and policy synchronization.

This design characteristic means that any successful FortiGate administrative access event on a device configured with LDAP or Active Directory integration should be treated as a potential credential compromise event, as default FortiOS configurations store those credentials in a recoverable form. The two incidents described in the SentinelOne reporting illustrate the spectrum of what follows.

Active Directory Pivoting: Two Incident Profiles

Incident 1, spanning November 2025 through February 2026, exhibited a dwell time consistent with initial access broker (IAB) activity [1]. The attacker established persistent administrative access to a FortiGate appliance at a healthcare organization, created a rogue account named support on the device, and maintained periodic check-in activity over three months without immediately escalating. Using the decrypted fortidcagent credentials to authenticate to Active Directory, the attacker exploited the mS-DS-MachineAccountQuota attribute — a default Active Directory setting permitting any standard domain account to join up to ten workstations — to enroll two rogue workstations (WIN-X8WRBOSK0OF and WIN-YRSXLEONJY2) into the domain. Attack traffic in this incident originated from IP addresses geolocated to Ukraine and Kazakhstan, including 185.156.73.62 and 185.242.246.127 [1]; geolocation alone does not establish actor attribution given common use of proxy and VPN infrastructure by sophisticated threat actors. The extended dwell time and limited lateral movement during the period are consistent with the attacker maintaining access for eventual sale rather than immediate exploitation.

Incident 2 presented a markedly different operational tempo [1]. From initial FortiGate compromise to domain controller access consumed fewer than ten minutes, indicating the attacker arrived with a pre-planned execution path and likely pre-existing knowledge of the target environment. After decrypting LDAP credentials and authenticating to Active Directory as a domain administrator, the attacker used WMIC to create a Volume Shadow Copy of the primary domain controller, extracted the NTDS.dit file and SYSTEM registry hive, compressed them using makecab, and exfiltrated the resulting archive over HTTPS to 172.67.196.232 on port 443 in an eight-minute window. The NTDS.dit contains hashed credentials for every account in the Active Directory domain. Post-transfer cleanup deleted the staging files, and the attacker established persistence using two commercial remote monitoring and management tools — Pulseway and MeshAgent — installed via a staging directory at C:\ProgramData\USOShared [1].

Sector Targeting and the MSP Amplification Risk

The explicit targeting of healthcare organizations, government agencies, and managed service providers reflects both opportunism and deliberate strategic selection [1][10]. FortiGate devices are prevalent in these sectors, and the healthcare sector’s combination of sensitive data, critical operational dependencies, and historically underfunded security programs makes it an attractive target [10]. According to CSA analysis of industry survey data, healthcare organizations typically allocate four to seven percent of budgets to cybersecurity, compared to fifteen percent in other industries, and ransomware incidents in the sector have grown substantially over recent years [10].

MSPs warrant particular concern in this campaign context. A managed service provider maintaining FortiGate appliances on behalf of multiple clients likely stores LDAP configuration for each client environment on those respective devices. A single successfully exploited FortiGate at an MSP, or a single stolen MSP administrative credential enabling access to client devices, can yield LDAP service account credentials across the entire managed client portfolio. This amplification effect means that threat actors capable of IAB operations — establishing and maintaining access for downstream sale — find MSPs especially attractive targets: one intrusion can potentially yield access inventory spanning multiple downstream organizations, depending on the breadth of the MSP’s managed client base.

Persistence and Post-Exploitation Infrastructure

The SentinelOne investigation identified several indicators of attacker persistence that extend beyond the initial FortiGate compromise [1]. Attacker infrastructure included the domains ndibstersoft.com and neremedysoft.com for command-and-control communications. RMM tool payloads were staged via legitimate cloud storage addresses, including an AWS S3 bucket and a Google Cloud Storage path — a technique that security researchers note can allow attacker traffic to blend with legitimate cloud service communications [1]. Scheduled tasks named JavaMainUpdate and MeshUserTask maintained persistence on compromised domain controllers and file servers. In Incident 1, the attacker employed Java DLL side-loading using spoofed java.exe filenames to evade detection.

A separate advisory from CISA in April 2025, predating the current campaign, warned that threat actors who successfully exploited CVE-2024-21762, CVE-2023-27997, or CVE-2022-42475 may have planted persistent malicious files on affected devices enabling ongoing read-only filesystem access even after those earlier vulnerabilities were patched [11]. Organizations that experienced any FortiGate exploitation during the 2024–2025 window should therefore not assume that patching alone eliminated persistent attacker access — CISA identifies specific remediation versions (7.6.2, 7.4.7, 7.2.11, 7.0.17, 6.4.16) that actively remove these files, and organizations should confirm they applied those targeted versions.

Recommendations

Immediate Actions

Organizations running FortiGate devices should treat credential rotation and management interface restriction as immediate priorities, independent of whether patching is complete. All LDAP and Active Directory service account credentials stored in FortiGate configurations — including the fortidcagent account and any equivalent domain-integrated service accounts — should be rotated immediately and treated as compromised. This rotation is necessary regardless of patching status, because any device that has been accessible via an internet-exposed management interface since December 2025 may have had its configuration file extracted by an attacker exploiting CVE-2025-59718 or preceding vulnerabilities.

Management interfaces must not be exposed to the internet. Fortinet’s own guidance and CISA advisories are consistent on this point: FortiGate management UIs should be accessible only from management VLANs, dedicated bastion hosts, or administrative VPNs with multi-factor authentication enforced. Internet exposure of management ports 443, 8443, 10443, and 4443 has been directly associated with both the mass-exploitation AI-assisted campaign documented in early February 2026 [7] and the targeted credential extraction campaign analyzed here.

Patching should proceed as quickly as operational constraints permit. The priority sequence for FortiOS is: address CVE-2026-24858 per Fortinet’s January 2026 guidance, then ensure FortiOS is updated to 7.6.4 or later, 7.4.9 or later, 7.2.12 or later, or 7.0.18 or later to address CVE-2025-59718 and CVE-2025-59719 [9]. FortiOS devices running versions in the CVE-2024-55591 and CVE-2025-24472 affected ranges should also be updated per the January and March 2025 CISA KEV deadlines [3][4].

Short-Term Mitigations

Private data encryption should be enabled on all FortiOS devices. This feature configures the device to use a unique per-device encryption key for stored credentials rather than the global static key identified in CVE-2026-25815. Fortinet acknowledges this setting may affect certain management operations and characterizes it as non-default, but enabling it is the direct mitigation for the credential extraction technique documented in this campaign [2]. The setting is accessible in the GUI under System > Settings or via CLI.

FortiCloud SSO should be disabled on any device where cloud-based single sign-on management is not operationally required, as it was the authentication surface exploited by CVE-2025-59718 and CVE-2026-24858. Similarly, SSL-VPN functionality should be disabled if not in active use, eliminating the attack surface for CVE-2024-21762. Where Security Fabric is not required, disabling it removes exposure to CVE-2025-24472.

Active Directory audit activity should be prioritized as a parallel track to FortiGate remediation. Security teams should review domain controller event logs for Type 3 and Type 10 logon events from unexpected source systems, audit recent additions to the domain via mS-DS-MachineAccountQuota for unauthorized workstation enrollment, and search for accounts created after November 2025 with names such as support, ssl-admin, helpdesk, itadmin, backup, or remoteadmin [1]. Organizations that have experienced domain controller compromise should treat all domain credentials as potentially exposed given the NTDS.dit exfiltration technique documented in Incident 2.

Log retention and SIEM forwarding policies on FortiGate devices should maintain a minimum of 14 days on-device with forwarding to a SIEM, as the documented attackers deleted log files during intrusions. Monitoring should include alerting on show full-configuration CLI executions, configuration file download events, and administrative account creation events.

Strategic Considerations

The fundamental architectural vulnerability in this campaign is that network security appliances function as credential stores for directory services without the same level of privilege management applied to identity systems themselves. Organizations operating in sectors with elevated targeting profiles — healthcare, government, and MSP environments in particular — should assess whether LDAP integration credentials stored on perimeter devices have equivalent least-privilege controls to other privileged accounts. The fortidcagent service account and similar accounts should be scoped to the minimum LDAP permissions required for FortiGate policy enforcement, monitored for anomalous authentication behavior, and rotated on a defined periodic cycle rather than treated as long-lived static credentials.

The IAB pattern in Incident 1 suggests that FortiGate access is being marketed and sold in criminal ecosystems. MSPs should evaluate whether administrative credentials for customer FortiGate devices are sufficiently isolated such that compromise of the MSP management plane does not yield access to customer directory services. Network segmentation between MSP administrative infrastructure and customer environments, combined with customer-specific MFA enforcement on management interfaces, can limit the blast radius of an MSP-level compromise.

CSA Resource Alignment

This campaign directly engages several active CSA research areas and guidance frameworks. CSA’s Zero Trust Working Group guidance provides the architectural counter to internet-exposed management plane risk: the authenticate-before-connect model, implemented via Zero Trust Network Access or Single Packet Authorization, substantially reduces internet-facing exposure of the management ports that enable the authentication bypass CVEs documented in this campaign [12]. Organizations seeking to reduce long-term exposure to FortiGate management interface vulnerabilities should evaluate ZTNA architectures as a structural control rather than relying solely on patching cycles.

The CSA Cloud Controls Matrix v4.0 maps directly to the control failures exploited in this campaign (verify domain identifiers against the current published version [13]). CCM domain IAM-14 (privileged access management) addresses the service account credential management gaps that allowed fortidcagent credentials to serve as an Active Directory entry point. Domain TVM-02 (vulnerability management) encompasses the patching obligations triggered by the CISA KEV entries. Domain IVS-03 (network segmentation) covers the management interface isolation requirements. These CCM controls, when evaluated through the CSA STAR assurance framework, provide a structured basis for communicating remediation status to boards and regulators [13].

CSA’s Healthcare Cybersecurity Playbook and Ransomware in the Healthcare Industry guidance are directly applicable to the IAB → ransomware kill chain suggested by the behavioral patterns in this campaign [10][14]. The Playbook’s guidance on network segmentation, backup integrity verification, and incident response posture is particularly relevant for healthcare organizations evaluating their exposure to the credential extraction technique documented here. CSA’s MAESTRO threat modeling framework, documented in Cloud Threat Modeling 2025, provides a methodology for modeling the AI-augmented components of the broader campaign context established in the prior CSA research note [7][15].

References

[1] SentinelOne DFIR Team, “FortiGate Edge Intrusions: Service Account Credential Extraction and Active Directory Compromise,” SentinelOne Blog, March 2026. https://www.sentinelone.com/blog/fortigate-edge-intrusions/

[2] SentinelOne Vulnerability Database, “CVE-2026-25815: FortiOS LDAP Credential Disclosure via Default Cryptographic Key,” SentinelOne, 2026. https://www.sentinelone.com/vulnerability-database/cve-2026-25815/

[3] Cybersecurity and Infrastructure Security Agency, “Known Exploited Vulnerabilities Catalog — Fortinet Entries,” CISA, updated March 2026. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=Fortinet

[4] National Vulnerability Database, “CVE-2024-55591 Detail,” NIST NVD, 2025. https://nvd.nist.gov/vuln/detail/cve-2024-55591

[5] National Vulnerability Database, “CVE-2025-59718 Detail,” NIST NVD, 2025. https://nvd.nist.gov/vuln/detail/CVE-2025-59718

[6] Cybersecurity and Infrastructure Security Agency, “Fortinet Releases Guidance to Address Ongoing Exploitation of Authentication Bypass Vulnerability CVE-2026-24858,” CISA Alert, January 28, 2026. https://www.cisa.gov/news-events/alerts/2026/01/28/fortinet-releases-guidance-address-ongoing-exploitation-authentication-bypass-vulnerability-cve-2026

[7] Cloud Security Alliance AI Safety Initiative, “AI-Assisted Mass Network Infrastructure Exploitation: The 600+ FortiGate Campaign,” CSA Research Note, March 8, 2026. (Internal reference: CSA_research_note_ai_assisted_network_device_mass_exploitation_20260308.md)

[8] National Vulnerability Database, “CVE-2024-21762 Detail,” NIST NVD, 2024. https://nvd.nist.gov/vuln/detail/cve-2024-21762

[9] Fortinet PSIRT, “FG-IR-25-647: FortiCloud SSO Authentication Bypass (CVE-2025-59718, CVE-2025-59719),” Fortinet Security Advisories, 2025. https://fortiguard.fortinet.com/psirt/FG-IR-25-647

[10] Cloud Security Alliance, “Healthcare Cybersecurity Playbook,” CSA, 2024. https://cloudsecurityalliance.org/research/working-groups/health-information-management

[11] Cybersecurity and Infrastructure Security Agency, “Fortinet Releases Advisory on New Post-Exploitation Technique for Known Vulnerabilities,” CISA Alert, April 11, 2025. https://www.cisa.gov/news-events/alerts/2025/04/11/fortinet-releases-advisory-new-post-exploitation-technique-known-vulnerabilities

[12] Cloud Security Alliance, “Zero Trust Working Group,” CSA. https://cloudsecurityalliance.org/research/working-groups/zero-trust

[13] Cloud Security Alliance, “Cloud Controls Matrix and CAIQ v4.0,” CSA, 2021. https://cloudsecurityalliance.org/research/working-groups/cloud-controls-matrix

[14] Cloud Security Alliance, “Ransomware in the Healthcare Industry,” CSA, 2024. https://cloudsecurityalliance.org/research/working-groups/health-information-management

[15] Cloud Security Alliance, “Cloud Threat Modeling 2025,” CSA, 2025. https://cloudsecurityalliance.org/research/working-groups/threat-modeling (URL currently returning 404; see CSA publications portal for current link)

[16] Rapid7 Threat Intelligence, “ETR: Critical Vulnerabilities in Fortinet CVE-2025-59718, CVE-2025-59719 Exploited in the Wild,” Rapid7, December 2025. https://www.rapid7.com/blog/post/etr-critical-vulnerabilities-in-fortinet-cve-2025-59718-cve-2025-59719-exploited-in-the-wild/

[17] Arctic Wolf, “Arctic Wolf Observes Malicious SSO Logins Following Disclosure of CVE-2025-59718 and CVE-2025-59719,” Arctic Wolf Networks, December 2025. https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-sso-logins-following-disclosure-cve-2025-59718-cve-2025-59719/

[18] National Vulnerability Database, “CVE-2025-24472 Detail,” NIST NVD, 2025. https://nvd.nist.gov/vuln/detail/CVE-2025-24472