What Happened
Security researchers are tracking an active campaign in which threat actors exploit FortiGate Next-Generation Firewalls to gain network access and extract service account credentials, including LDAP passwords and network topology data.
The attackers exploit recently disclosed CVEs — CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858 — along with misconfigured or weakly credentialed administrative accounts. In one confirmed incident, attackers compromised a FortiGate appliance in November 2025, created a local administrator account named “support,” and established firewall policies enabling unrestricted zone traversal. They returned in February 2026 to extract encrypted configuration files containing LDAP credentials and network maps.
Separately, a ransomware-as-a-service operation called The Gentlemen maintains an operational database of approximately 14,700 already-compromised FortiGate devices globally and 969 validated brute-forced VPN credentials ready for use.
Why This Matters for Canadian Organizations
FortiGate is one of the most widely deployed network security platforms in Canada. Federal departments, provincial governments, healthcare systems, financial institutions, and thousands of Canadian businesses run FortiGate infrastructure as their primary perimeter defence.
A credential theft campaign of this nature directly threatens Active Directory environments and everything connected to them — email systems, file shares, cloud tenants, and remote access infrastructure. Extracted network topology data accelerates attacker planning for ransomware deployment or data exfiltration.
Canadian managed service providers are a particular concern. A single compromised MSP gives attackers access to multiple downstream client environments simultaneously. Organizations in healthcare and government — both high-priority ransomware targets — face compounding risk if their MSP is the entry point.
What to Do
Apply all available FortiOS patches for CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858 immediately. Audit all local administrator accounts on FortiGate appliances for unexpected entries, including accounts named “support” or other generic names. Review firewall policy changes from the past six months for unauthorized zone traversal rules. Rotate LDAP and Active Directory service account credentials. MSPs should extend this review across all managed client environments.
Source: The Hacker News
