FortiGate Firewall Campaign Targets Enterprise Networks
Cybersecurity researchers identified an active campaign where attackers compromise FortiGate Next-Generation Firewall appliances to gain initial access into corporate networks. The campaign was discovered on March 10, 2026, with threat actors leveraging recently disclosed security flaws and credential-based attacks.
Attackers focus on extracting configuration files from compromised FortiGate devices, which contain sensitive service account credentials and detailed network topology information. This data provides attackers with comprehensive maps of internal infrastructure and privileged access credentials.
Enterprise FortiGate NGFW Deployments at Risk
Organizations running FortiGate Next-Generation Firewall appliances face immediate risk from this campaign. Companies with unpatched FortiGate devices or weak administrative credentials are primary targets for exploitation.
The CISA Known Exploited Vulnerabilities catalog lists multiple FortiGate CVEs that attackers actively exploit in enterprise environments. Network administrators managing FortiGate infrastructure should prioritize security assessments.
Exploitation Methods and Network Compromise Tactics
The campaign combines vulnerability exploitation with credential-based attacks to breach FortiGate appliances. Once inside, attackers extract configuration files containing service account passwords, VPN certificates, and network architecture details.
Security teams should immediately audit FortiGate configurations, enforce strong administrative passwords, and apply all available security patches. Detailed analysis of the FortiGate exploitation techniques shows attackers pivot from firewall compromise to full domain control within hours.
