FortiGate Config Theft: Stealing Service Accounts from the Edge
Has anyone else been digging into the latest reports on FortiGate appliances being used as initial access vectors? It looks like threat actors are aggressively targeting exposed devices not just for DDoS or tunneling, but specifically to dump the system configuration files.
The really concerning part here is the payload. Once they compromise the device (via weak creds or the latest CVEs like CVE-2026-2394), they are extracting the plain-text service account credentials stored for LDAP/Active Directory integration and SSL VPNs. Since the config contains the full network topology and high-privilege creds, it's basically a golden ticket for lateral movement.
If you manage FortiGates, I highly recommend auditing your configuration backups. If an attacker pulls the config, they have everything they need. Ensure your local admin accounts have strong passwords and check your logs for unauthorized config exports.
Here is a quick KQL query I’m using to hunt for suspicious backup attempts in our SIEM:
FortiAnalyzer
| where MessageType == "event"
| where SubType == "system"
| where EventName contains "backup" or EventName contains "execute"
| project TimeGenerated, SourceIP, User, Action, Message
| order by TimeGenerated desc
Are you guys seeing this behavior in the wild, or is it mostly noise so far? How are you handling the service account storage on your edge devices?
We caught a similar attempt last week on a client's HA pair. The attackers didn't even exploit a zero-day; they just brute-forced the local 'admin' account which was still set to the factory default (rookie mistake, I know). Once in, they ran execute backup config ftp immediately.
I highly recommend disabling local admin accounts entirely and forcing management through FortiManager or SSO. Also, check your firewall policies for 'Any' to 'Any' rules on the SSL VPN interface—that's usually what they are after.
Good post. The risk isn't just the firewall config, but the underlying LDAP connector keys. If those service accounts have reset permissions on AD, it's game over.
On the detection side, you might want to add a trigger for successful SSH logins followed immediately by 'show' commands. The config extraction often looks like:
show full-configuration
We've set up an alert for any SSH session that executes more than 5 'show' commands within a minute. It catches most recon attempts.
This is why I always push for dedicated 'jump boxes' for management. You shouldn't be managing your NGFWs from the open internet, period. Even with 2FA, if they steal the config file, they can decrypt it offline if they have the device hash.
For those auditing, run this against your backups to see if you have hardcoded credentials lurking:
grep -i "set password" fortigate_config.conf
If you see clear text passwords, rotate them immediately.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access