FortiGate Exploitation Campaign: How Stolen Service Accounts Enable Rogue Workstation Deployment and Full AD Compromise

Attackers are actively exploiting three critical authentication bypass vulnerabilities in Fortinet products to compromise FortiGate firewalls, extract service account credentials from device configurations, and use those accounts to infiltrate Active Directory environments at depth [1][2]. SentinelOne's DFIR team has responded to multiple incidents throughout early 2026 in which compromised FortiGate appliances served as the initial foothold into victim networks [1]. In a separate but overlapping campaign, Amazon Threat Intelligence tracked a Russian-speaking, financially motivated threat actor who compromised over 600 FortiGate devices across more than 55 countries between January 11 and February 18, 2026 [4]. The common thread across all reported incidents: attackers aren't stopping at firewall access. They're extracting LDAP credentials, joining rogue machines to domains, deploying remote access tools, and stealing the Active Directory database itself.

Three CVEs at the Center of the Campaign

Three vulnerabilities are driving this wave of compromises [2]:

• CVE-2025-59718 and CVE-2025-59719: Both impact Fortinet products' SSO mechanisms by failing to validate cryptographic signatures [1]. These vulnerabilities carry critical CVSS scores and allow an unauthenticated remote attacker to bypass authentication using a crafted SAML message, ultimately gaining administrative access to the device [5]. Active exploitation was first observed on January 16, 2026 [5]. Affected products include FortiOS, FortiProxy, FortiAnalyzer, and FortiManager [5].

• CVE-2026-24858: Disclosed by Fortinet on January 27, 2026, this is a critical unauthenticated vulnerability allowing authentication bypass via Fortinet's cloud SSO [5]. Confirmed as a net-new vulnerability (not a patch bypass), it was observed under active zero-day exploitation before the patch dropped [5]. It carries a CVSS score of 9.4 and has been added to CISA's Known Exploited Vulnerabilities catalog [6]. On January 20, 2026, multiple Fortinet clients reported that attackers had gained access to their FortiGate firewalls and created new local admin accounts despite running the most recent FortiOS updates [6]. Fortinet patched the flaw in late January, and at least two malicious FortiCloud accounts associated with exploitation were blocked on January 22, 2026 [6].

All three CVEs have confirmed exploitation in the wild according to NVD and multiple industry sources [2].

From Firewall to Domain: The Attack Chain

SentinelOne's incident response work provides the clearest picture of how these intrusions unfold post-compromise [1].

Initial Access and Persistence on the Firewall

In one incident, the compromise likely began in late November 2025 and remained undetected through February 2026 [1]. The attackers created a new local administrator account named support on the FortiGate appliance [3]. The threat actor then kept periodically checking to ensure the device was accessible, behavior consistent with an initial access broker (IAB) establishing and maintaining a foothold for later sale or use [3].

Service Account Credential Extraction

In February 2026, the attacker likely extracted the FortiGate configuration file, which contained encrypted service account LDAP credentials [1]. Evidence from the SentinelOne investigation demonstrates the attacker subsequently authenticated to Active Directory using cleartext credentials from the fortidcagent service account [1]. This is a critical detail: the FortiGate device's integration with Active Directory for authentication purposes means its configuration stores credentials that, once decrypted, provide direct access to the domain.

Rogue Workstation Deployment via mS-DS-MachineAccountQuota

The attacker used the mS-DS-MachineAccountQuota attribute to join two rogue workstations to the Active Directory domain [1]. This attribute, set to 10 by default in most AD environments, permits any authenticated domain user to add up to 10 computer objects to the domain without requiring elevated privileges. The service account's domain authentication was sufficient.

These rogue workstations, once domain-joined, receive Group Policy updates, appear in standard organizational units, and are treated as trusted endpoints by most security tooling. They serve as attacker-controlled footholds inside the network perimeter.

The attacker authenticated to the victim's environment from IP address 193.24.211[.]61 using the stolen service account [1].

Remote Access Tooling and Data Exfiltration

In another case investigated in late January 2026, attackers moved swiftly from firewall access to deploying remote access tools, specifically Pulseway and MeshAgent [3]. These are legitimate remote management tools, making their presence harder to flag as malicious without specific detection rules.

The threat actor downloaded malware from a cloud storage bucket via PowerShell from Amazon Web Services (AWS) infrastructure [3]. The Java-based malware, launched via DLL side-loading, was used to exfiltrate the contents of the NTDS.dit file and SYSTEM registry hive to an external server [3]. Together, these two files contain all Active Directory password hashes for every account in the domain. This represents a full domain compromise: the attacker can crack or pass-the-hash for any account, including Domain Admins.

The AI-Augmented Campaign: A Parallel Threat

Amazon's Threat Intelligence team documented a distinct but related campaign by a Russian-speaking financially motivated threat actor who compromised over 600 FortiGate devices across more than 55 countries from January 11 to February 18, 2026 [4]. Notably, this campaign did not exploit the three CVEs discussed above. Instead, the actor exploited exposed management ports and weak credentials with single-factor authentication [4].

What distinguishes this campaign is the actor's use of multiple commercial generative AI services to implement and scale well-known attack techniques throughout every phase of their operations [4]. The threat actor specifically targeted Veeam Backup & Replication servers and deployed multiple tools for extracting credentials [4]. In at least one case, the Domain Administrator account used a plaintext password that was either extracted from the FortiGate configuration through password reuse or was independently weak [4].

This campaign reinforces a broader pattern: FortiGate configuration files are a high-value target regardless of the access method because they frequently contain credentials that unlock deeper network access.

IOC Table

Note: As of March 10, 2026, Leargas Security reports that no additional atomic IOCs (hashes, IPs, domains) have been publicly released in connection with the CVE exploitation campaign beyond those listed above [2].

MITRE ATT&CK Mapping

Based on the behaviors described across source reporting:

FortiGate Device Layer

• Audit local accounts on all FortiGate devices immediately. Look for any accounts not created through approved change management, particularly generic names like support, admin1, svc_admin, or similar [3].
• Review FortiCloud SSO configuration. Devices with FortiCloud SSO enabled were specifically targeted via CVE-2026-24858 [6]. Confirm patching status and audit linked FortiCloud accounts.
• Check FortiGate configuration backup access logs. Configuration file extraction is a precursor to credential theft [1].

Active Directory Monitoring

• Monitor for new computer objects created by service accounts. Query AD for recent computer account creations and correlate the creating account. Service accounts like fortidcagent should not be joining workstations to the domain under normal operations [1].
• Audit mS-DS-MachineAccountQuota. Set this value to 0 across all domains unless a specific, documented business need exists. The default value of 10 allows any authenticated user to join machines to the domain [1].
• Alert on service account authentication from unusual source IPs. The fortidcagent account authenticating from an external IP like 193.24.211[.]61 is a clear indicator of compromise [1].
• Hunt for NTDS.dit access. Monitor for ntdsutil, vssadmin, or diskshadow execution, as well as any process accessing the NTDS.dit file path. Also monitor for large outbound transfers over port 443 to unfamiliar destinations [3].

Endpoint and Network Detection

• Flag Pulseway and MeshAgent installations. Unless these tools are part of your approved software inventory, their presence on any endpoint warrants immediate investigation [3].
• Monitor for PowerShell downloading content from AWS S3 buckets or other cloud storage services, particularly to endpoints that don't normally execute PowerShell [3].
• Watch for DLL side-loading associated with Java processes. The combination of Java malware launched via DLL side-loading is a specific TTP from this campaign [3].
• Query SIEM for authentication events from the external IP 193.24.211[.]61 and for any service account authenticating from outside the internal network range [1].

Credential Hygiene

• Rotate all service account credentials stored in FortiGate configurations. This includes LDAP bind accounts, RADIUS shared secrets, and any other credentials referenced in the device config [1].
• Rotate the KRBTGT account password twice (following Microsoft's guidance for the double-reset procedure) if NTDS.dit exfiltration is confirmed or suspected [3].

Analysis

This campaign represents a significant and ongoing threat to any organization running FortiGate appliances, particularly those with Active Directory integration. We assess with high confidence that multiple threat actors are exploiting these vulnerabilities, given the distinct TTPs observed by SentinelOne [1] and Amazon [4] across what appear to be separate campaigns.

The IAB-consistent behavior observed in at least one incident (creating an account, then periodically verifying access over weeks) [3] strongly suggests that some of these compromises are being sold or handed off to secondary operators. This pattern is common in the ransomware ecosystem, and Leargas Security explicitly flags domain takeover and ransomware staging as high-risk follow-on attacks [2].

The AI-augmented campaign documented by Amazon is likely a preview of future operational patterns. The actor's use of commercial generative AI to scale operations across 600+ devices in 55 countries within five weeks [4] demonstrates that AI tooling is already reducing the cost and increasing the speed of mass exploitation campaigns.

For defenders, the most urgent takeaway is this: patching the FortiGate is necessary but not sufficient. Organizations that were compromised before applying patches almost certainly have attacker-created accounts, extracted credentials, or both still active in their environment. A full investigation of downstream Active Directory artifacts, including computer objects, service account authentication logs, and configuration file access, is required to confirm containment.

The default mS-DS-MachineAccountQuota setting of 10 remains one of the most underappreciated risks in enterprise Active Directory. Any authenticated domain account, including a service account extracted from a firewall config, can silently add machines to the domain. Setting this value to 0 should be treated as a baseline security requirement for every organization.

References

1. SentinelOne. "FortiGate Edge Intrusions | Stolen Service Accounts Lead to Rogue Workstations and Deep AD Compromise." https://www.sentinelone.com/blog/fortigate-edge-intrusions/
2. Leargas Security. "Fortinet Authentication Bypass Vulnerabilities Exploited." March 10, 2026. https://leargassecurity.com/2026/03/10/fortinet-authentication-bypass-vulnerabilities-exploited-for-network-breaches-cve-2025-59718-cve-2025-59719-and-cve-2026-24858/
3. The Hacker News. "FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials." https://thehackernews.com/2026/03/fortigate-devices-exploited-to-breach.html
4. Amazon Web Services. "AI-augmented threat actor accesses FortiGate devices at scale." https://aws.amazon.com/blogs/security/ai-augmented-threat-actor-accesses-fortigate-devices-at-scale/
5. Rapid7. "Critical vulnerabilities in Fortinet CVE-2025-59718, CVE-2025-59719 exploited in the wild." https://www.rapid7.com/blog/post/etr-critical-vulnerabilities-in-fortinet-cve-2025-59718-cve-2025-59719-exploited-in-the-wild/
6. SOC Prime. "CVE-2026-24858: FortiOS SSO Zero-Day Exploited in the Wild." https://socprime.com/blog/cve-2026-24858-vulnerability/