ForumsExploitsFortiGate Under Fire: Credential Harvesting via Config Leaks

FortiGate Under Fire: Credential Harvesting via Config Leaks

AppSec_Jordan 3/10/2026 USER

Hey everyone, just caught the latest report on threat actors actively abusing FortiGate NGFWs. It looks like the focus here isn't just persistence, but immediate credential harvesting.

The attackers are exploiting recent vulnerabilities or weak credentials to dump the device configuration files. The scary part is what's inside those configs: service account credentials, LDAP bind details, and full network topology maps. Once they have that, they don't need to exploit the firewall further; they just authenticate as a trusted internal service.

I'm auditing our edge appliances right now to ensure no sensitive keys are hardcoded in the config. If you haven't rotated your service accounts recently, now might be the time.

Here is a quick query I'm using in our SIEM to hunt for suspicious config exports:

FortiGateEvent
| where EventID in ("4", "5") 
| where Message contains "execute backup config" or Message contains "show full-configuration"
| project TimeGenerated, SrcUser, Message
| order by TimeGenerated desc


Is anyone else seeing scans on port 443 or 22 correlating with these backup attempts? How are you handling secrets management on edge appliances to prevent this kind of loot?
SE
SecurityTrainer_Rosa3/10/2026

We caught something similar last week. We implemented a correlation rule looking for execute backup config commands immediately following a successful login from a new GeoIP location.

Also, double-check your local-in policies. We found that restricting management access to specific internal subnets and our VPN block significantly reduced the attack surface. If you expose the admin panel to the WAN, MFA is non-negotiable now.

RE
RedTeam_Carlos3/10/2026

From a pentester's perspective, this is critical because those config files are essentially plaintext treasure maps. I often find API keys for connectors (AWS/Azure) or hashed passwords for local accounts right in the show full-configuration output.

If you can't avoid storing secrets in the config, at least ensure you are using Two-Factor Authentication for local admin accounts and restricting CLI/SSH access via:

config system global
set admin-https-redirect disable
set admin-maintainer disable
end


It forces the attackers to work much harder for that config file.

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created3/10/2026
Last Active3/10/2026
Replies2
Views16

Similar Threads