Your FortiGate Knows Your AD Password. So Does the Attacker.

CybrPulse

CybrPulse

4 min read
Your FortiGate Knows Your AD Password. So Does the Attacker.

SentinelOne's DFIR team dropped a report this week that should land on every firewall admin's desk. They worked two separate FortiGate intrusion cases in early 2026. In one, the attacker sat quietly for three months before anyone noticed. In the other, they were pivoting to domain controllers ten minutes after first access. Both ended with Active Directory fully compromised.

This isn't a theoretical attack chain. This is what's happening right now.

The Three CVEs Feeding This Campaign

Three vulnerabilities are driving these intrusions. Two were exploited through December 2025 and February 2026. One was patched by Fortinet in late January.

CVE-2025-59718 and CVE-2025-59719 hit Fortinet's Single Sign On implementation. The device fails to validate cryptographic signatures on SSO tokens. An attacker sends a crafted token and walks in with unauthenticated administrative access. No credentials needed. No brute force. Just a malformed token.

CVE-2026-24858 targeted FortiGate devices with FortiCloud SSO enabled. Attackers logged into victim devices using their own FortiCloud account. That's it. The authentication boundary didn't exist.

CybrPulse tracked 67 Fortinet and FortiGate stories across February and March 2026. That's not background noise. That's a sustained targeting campaign.

What Attackers Take First: The Config File

Once inside, the move is always the same: run `show full-configuration`.

Fortinet's FortiOS stores embedded credentials in the config file using reversible encryption. That distinction matters. If the encryption were one-way, extracting the file would be interesting but not immediately dangerous. Reversible means the attacker decrypts it offline and reads service account credentials in cleartext.

In environments where FortiGate is integrated with Active Directory — which is most enterprise deployments — those service accounts have LDAP access to your directory. The firewall that was supposed to protect your network hands the attacker a valid credential for it.

Incident One: Three Months, Then AD Enrollment

The first case SentinelOne investigated likely started in late November 2025. The attacker wasn't discovered until February 2026.

After gaining access, they created a local admin account named `support` and built four firewall policies allowing all-to-all zone traversal. Then they went quiet — occasional low-volume traffic through the new policies, enough to confirm access was still live. That pattern is consistent with an initial access broker selling the foothold after establishing it.

In February, the buyer got to work. They decrypted the config file, pulled credentials for the `fortidcagent` service account, and authenticated to Active Directory from IP `193.24.211[.]61`.

Then they used a feature most admins forget exists: `mS-DS-MachineAccountQuota`. By default, any standard domain account can join up to ten workstations to the domain. The attacker used this to enroll two attacker-controlled workstations — `WIN-X8WRBOSK0OF` and `WIN-YRSXLEONJY2` — directly into Active Directory. Their machines, on your domain, with legitimate domain membership.

From there: network scanning, password spraying originating from the FortiGate's own IP address, and artifacts from SoftPerfect Network Scanner. Security alerts fired, lateral movement was blocked, and SentinelOne contained it. Insufficient log retention on the FortiGate itself meant they couldn't determine exactly when or how the initial access happened.

Incident Two: Ten Minutes

The second case moved at a different pace.

The attacker created a local FortiGate admin account named `ssl-admin`. Within ten minutes, they were authenticating to multiple servers in the environment with the built-in Domain Administrator account. They weren't waiting for anything.

They staged tools in `C:\ProgramData\USOShared` — a directory SentinelOne notes they've seen abused across multiple incidents — and deployed two RMM tools: Pulseway (hosted on Google Cloud Storage at an attacker-controlled bucket) and MeshAgent. MeshAgent was installed on the domain controller and a file share. A registry tweak set `SystemComponent=1` to hide it from Programs and Features.

Scheduled tasks `JavaMainUpdate` and `MeshUserTask` ensured persistence. Then they downloaded an additional payload from an AWS S3 bucket (`fastdlvrss[.]s3[.]us-east-1[.]amazonaws[.]com`), unpacked it, and executed `java.exe` — which was malware using DLL sideloading to blend in as a legitimate Java process. It beaconed to `ndibstersoft[.]com` and `neremedysoft[.]com`.

The endgame: Volume Shadow Copy of the primary domain controller, extraction of `NTDS.dit` and the SYSTEM registry hive using `makecab`, compressed, then uploaded over a port-443 connection to `172.67.196[.]232` (a Cloudflare IP, opaque by design) in an 8-minute window. Files deleted after upload.

The NTDS database contains hashed credentials for every account in the domain. If they cracked those offline, SentinelOne found no evidence of it during the containment window.

What You Should Be Doing Today

Patch. CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858 all have Fortinet fixes available. If you haven't applied them, assume you're a target.

Audit service accounts in your FortiGate config. Any account embedded in that config file for LDAP or AD integration — check what it can actually do. Scope it down.

Check `mS-DS-MachineAccountQuota`. If you haven't set this to zero in your environment, you should. Default of 10 means any compromised standard account can enroll attacker hardware to your domain.

Review FortiGate log retention. Both incidents were hampered by insufficient logs on the appliance. You can't reconstruct what you didn't keep.

Hunt for these RMM tools. Pulseway and MeshAgent are legitimate — which is why attackers use them. Look for `JavaMainUpdate` and `MeshUserTask` scheduled tasks and any `MeshAgent` processes hiding under `SystemComponent=1`.

SentinelOne's report notes that lower-skilled attackers are increasingly using LLMs to navigate post-exploitation on network appliances they don't fully understand. That's the threat environment now. Your FortiGate's configuration file is a goldmine, it's exposed to the internet, and people are coming for it.

*CybrPulse tracked 67 Fortinet and FortiGate stories across February and March 2026. Source: SentinelOne DFIR — FortiGate Edge Intrusions*

Read more