Attackers exploit FortiGate devices to access sensitive network information

Attackers are actively compromising FortiGate network security appliances to establish unauthorized access within corporate environments and exfiltrate critical network configuration data. This campaign initiates via the exploitation of undisclosed vulnerabilities or through the leveraging of weak authentication credentials present on the FortiGate devices, serving as the primary vectors for initial network ingress. SentinelOne researchers issued this alert, detailing how threat actors, once past the perimeter, systematically extract configuration files¹. These files are frequently repositories for sensitive service account credentials and detailed schematics of the internal network architecture, offering adversaries a blueprint for further exploitation. The ongoing incursions predominantly target organizations across the healthcare sector, various government agencies, and managed service providers, indicating a broad strategic focus on high-value and interconnected entities. The theft of such granular network intelligence provides adversaries with invaluable tools, enabling deeper penetration, persistent access, and potential supply chain compromise. Organizations utilizing FortiGate equipment must urgently review their security posture, patch management, and credential hygiene to counter this persistent and highly impactful data theft operation.