Researchers warn of a campaign abusing FortiGate NGFW appliances—exploiting recent CVEs and weak credentials—to steal configuration files and gain footholds in networks across healthcare, government, and managed service providers. Attackers created persistent admin accounts, decrypted service-account LDAP credentials (fortidcagent), enrolled rogue workstations into Active Directory, and in some cases deployed Pulseway/MeshAgent and Java DLL side-loading to exfiltrate NTDS.dit and the SYSTEM hive via AWS-hosted infrastructure. #FortiGate #CVE-2025-59718 #CVE-2025-59719 #CVE-2026-24858 #fortidcagent #ActiveDirectory #Pulseway #MeshAgent #NTDS.dit #AWS #SentinelOne
Keypoints
- Threat actors exploit FortiGate NGFW vulnerabilities and weak credentials to extract device configuration files.
- Extracted configs contained service account credentials (e.g., fortidcagent) and network topology enabling AD access.
- Attackers created local admin accounts and permissive firewall policies to maintain persistent access.
- Some incidents involved deploying Pulseway/MeshAgent and using Java DLL side-loading to exfiltrate NTDS.dit and the SYSTEM hive.
- SentinelOne reports healthcare, government, and managed service providers are targeted and detection halted further lateral movement.
Read More: https://thehackernews.com/2026/03/fortigate-devices-exploited-to-breach.html