If you are running FortiGate firewalls in your network right now, stop reading this on your phone and go sit at your desk. This is one of those articles.
SentinelOne published a report yesterday detailing a campaign where attackers are exploiting FortiGate Next-Generation Firewall appliances to break into networks, extract configuration files, and steal service account credentials — including Active Directory and LDAP credentials that effectively hand over the keys to the entire environment.
The targets? Healthcare organizations, government agencies, and managed service providers. You know, the ones that can least afford to be breached.
I spent most of yesterday afternoon on calls with two different clients who run FortiGate appliances, and I want to walk through exactly what is happening, why it matters more than the usual “patch your stuff” advisory, and what you need to do about it right now.
What Is Actually Happening
Let me break this down in plain English, because the security advisories are written in a dialect of English that only other security researchers seem to understand.
Attackers are getting into FortiGate firewalls through two methods:
- Exploiting recently disclosed vulnerabilities — these are known bugs that have patches available, but many organizations have not applied them yet
- Using weak or default credentials — and yes, in 2026, there are still FortiGate appliances sitting on the internet with default passwords. I wish I were making this up.
Once inside the firewall, the attackers are not doing what you might expect. They are not immediately deploying ransomware or exfiltrating customer data. Instead, they are going after something potentially more valuable: the firewall’s configuration files.
Why? Because a FortiGate configuration file is basically a treasure map. It contains:
- Network topology information (how everything connects to everything)
- Service account credentials (often stored in plaintext or easily reversible formats)
- VPN configurations (how remote users connect)
- Firewall rules (what traffic is allowed where)
- LDAP and Active Directory integration details
My colleague Hannah, who does incident response for a living, described it this way: “Imagine someone broke into a building and instead of stealing anything, they photographed every lock, every alarm system, and every security camera angle. Then they left. And came back later when they knew exactly how to move through the building unseen.”
That is what is happening here. The initial breach is reconnaissance. The real attack comes later.
Why FortiGate Appliances Are Such Juicy Targets
Here is the thing that makes this particularly nasty: firewalls, by their very nature, have extensive access to the environments they protect. This is not a design flaw. This is literally their job. A FortiGate appliance needs to see and manage traffic across your entire network to function properly.
But that means when an attacker compromises one, they do not just get access to a single server or workstation. They get a bird’s-eye view of the entire network. SentinelOne’s researchers — Alex Delamotte, Stephen Bromfield, Mary Braden Murphy, and Amey Patne — specifically noted that in many configurations, the firewall has service accounts connected to Active Directory and LDAP infrastructure.
In non-technical terms: the thing protecting your castle also has the master key to every room inside it.
Marcus, a network architect I have worked with for about eight years, called me about this last night. “I have been saying for years that we treat firewalls like they are invincible,” he said. “We put all this effort into patching servers and endpoints, and then the firewall just sits there running the same firmware from 18 months ago because nobody wants to risk the downtime of updating it.”
He is not wrong. I have seen the same pattern at dozens of organizations. The firewall becomes this untouchable monolith that everyone is afraid to update because the last time someone tried, the VPN went down and the CEO could not check email from the golf course.
The Healthcare and MSP Connection
The targeting of healthcare organizations and managed service providers is not random. These are high-value environments for very specific reasons:
Healthcare
Medical records sell for 50-1,000 each on dark web markets, compared to -10 for a credit card number. Healthcare organizations are also more likely to pay ransoms because system downtime can literally cost lives. And — this is the uncomfortable part — healthcare IT is chronically underfunded and understaffed. A hospital with a million IT budget serving 500 beds does not have the same security posture as a tech company with a million security budget serving nobody’s health.
Managed Service Providers
Compromising an MSP is a force multiplier. One breached MSP can give attackers access to dozens or hundreds of client networks. This is the supply-chain attack model that has been devastatingly effective — remember the Kaseya attack in 2021? Same principle, different entry point.
If your MSP manages your FortiGate appliances, you need to be asking them some very pointed questions right now. Like “when was the last firmware update?” and “have you changed the default credentials?” and “why do you look so nervous?”
What You Need to Do Right Now
I am going to be blunt: if you have FortiGate appliances in your environment, you should treat this as a priority-one action item. Not tomorrow. Not “when we get to it.” Now.
Step 1: Identify and Inventory
Do you actually know how many FortiGate appliances you have? Where they are? What firmware they are running? I have asked this question at incident response engagements and gotten blank stares more often than I would like to admit.
Run a scan. Check your asset inventory. Talk to your MSP. Get a complete list.
Step 2: Patch Immediately
Fortinet has released patches for the vulnerabilities being exploited. Apply them. Yes, there is downtime involved. Yes, it is inconvenient. It is significantly less inconvenient than explaining to your board why attackers had your Active Directory credentials for six weeks.
The specific CVEs to look for (check Fortinet’s security advisories page for the latest list) include several critical and high-severity vulnerabilities disclosed in late 2025 and early 2026. If your firmware is more than 90 days behind, assume you are vulnerable.
Step 3: Rotate Credentials
This is the step people skip, and it is arguably the most important. Even if you patch, if attackers already extracted your configuration file, they have your service account passwords. Patching closes the door. Rotating credentials changes the locks.
Specifically:
- Change all service account passwords that were configured in the FortiGate appliance
- Rotate LDAP bind credentials
- Update VPN pre-shared keys
- Review and rotate any API keys stored in the configuration
Step 4: Check for Indicators of Compromise
SentinelOne’s report includes specific indicators of compromise (IOCs). Check your logs for:
- Unexpected configuration downloads or backups
- Login attempts from unusual IP addresses
- New admin accounts you did not create
- Changes to firewall rules or policies you did not authorize
- Unusual outbound traffic from the firewall management interface
Step 5: Restrict Management Access
If your FortiGate management interface is accessible from the public internet, fix that today. Management access should be restricted to specific, trusted IP addresses or available only through an out-of-band management network. No exceptions.
“But what if I need to manage it remotely?”
VPN into the management network first, then access the interface. Two hops. It takes an extra 30 seconds and makes you significantly harder to compromise.
The Bigger Picture: Why Edge Device Security Keeps Failing
This is not the first time we have seen network appliances exploited at scale, and it will not be the last. In the past 18 months alone, we have seen major campaigns targeting Ivanti VPN gateways, Citrix NetScaler appliances, and Cisco ASA firewalls. The pattern is always the same:
- Critical vulnerability discovered in edge device
- Vendor releases patch
- Organizations delay patching because “it is working fine”
- Attackers exploit unpatched devices en masse
- Everyone acts surprised
We need to stop being surprised. Edge devices — firewalls, VPN gateways, load balancers — are the most valuable targets on your network because they sit at the boundary between your organization and the internet. They see everything. They have access to everything. And they are often the least frequently updated devices in the environment.
Jake, a CISO I meet for drinks about once a month, has what he calls the “edge device rule”: any device that touches the public internet gets patched within 48 hours of a critical vulnerability disclosure, no exceptions. “If that means scheduling emergency maintenance windows, so be it,” he told me. “I would rather explain a 30-minute maintenance window to the business than a 30-day incident response engagement.”
Hard to argue with that math.
What to Tell Your Boss
If you need to escalate this to leadership, here is how I would frame it:
“There is an active campaign targeting FortiGate firewalls. Attackers are stealing network credentials that could give them access to our entire environment, including Active Directory. Healthcare and managed service providers are the primary targets. We need to patch our firewalls and rotate all associated credentials within 48 hours. The cost of not doing this is significantly higher than the cost of the maintenance window.”
If they push back on the urgency, show them SentinelOne’s report. If they still push back, update your resume. (I am only half joking.)
The Bottom Line
FortiGate firewalls are being actively exploited to steal the credentials that protect your entire network. The attackers are patient, methodical, and specifically targeting organizations in healthcare, government, and managed services.
The fix is not complicated: patch, rotate credentials, restrict management access, check for compromise. The hard part is doing it now instead of putting it on next month’s maintenance schedule.
Your firewall is supposed to be the guard at the gate. Right now, for a lot of organizations, the guard has been compromised and is handing out copies of the master key. Act accordingly.
(And if your FortiGate management interface is currently accessible from the public internet with default credentials, we need to talk. Seriously. My DMs are open. This is not a drill.)
