Cybersecurity researchers are drawing attention to a new campaign where threat actors are abusing FortiGate Next-Generation Firewall (NGFW) appliances as an entry point to break into victims’ networks.
SentinelOne said in a report published today that the activity involves exploiting recently disclosed security vulnerabilities or weak credentials to extract configuration files containing service account credentials and network topology information. The security organization said the campaign has isolated environments involving healthcare, government and managed service providers.
“FortiGate network devices have considerable access to the environments they were installed to protect,” said security researchers Alex Delamotte, Stephen Bromfield, Mary Braden Murphy and Amy Patney. “In many configurations, this includes service accounts that are tied to authentication infrastructure, such as Active Directory (AD) and Lightweight Directory Access Protocol (LDAP).”
“This setup can enable the device to map roles to specific users by bringing in attributes about the connection that is being analyzed and correlated with directory information, which is useful in cases where role-based policies are set or to increase response speed to network security alerts detected by the device.”
However, the cybersecurity company noted that such access could be exploited by attackers who break into FortiGate appliances through known vulnerabilities (for example, CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858) or misconfiguration.
In one incident, attackers are said to have breached a FortiGate appliance in November 2025 to create a new local administrator account named “Support” and used it to install four new firewall policies, allowing the account to traverse all regions without restriction.
The threat actor then continued to check periodically to ensure that the device was accessible, an action analogous to gaining a foothold by an Initial Access Broker (IAB) and selling it to other criminal actors for monetary gain. The next phase of activity was detected in February 2026 when an attacker extracted a configuration file possibly containing encrypted service account FTP credentials.
“Evidence shows the attacker authenticating to AD using cleartext credentials from the FortiDagent service account, which suggests the attacker decrypted the configuration file and extracted the service account credentials,” SentinelOne said.
The attacker then leveraged the service account to authenticate to the victim’s environment and enroll rogue workstations into the AD, allowing them deep access. After this step, network scanning was initiated, at which point a breach was detected, and further lateral activity was stopped.
In another case investigated in late January 2026, attackers quickly moved from firewall access to deploying remote access tools like Pulseway and MeshAgent. Additionally, the threat actor downloaded the malware from a cloud storage bucket from Amazon Web Services (AWS) infrastructure via PowerShell.
Java malware launched via DLL side-loading was used to infiltrate the contents of the NTDS.dit file and system registry hive on an external server (“172.67.196″)[.]232”) on port 443.
“Although the actor may have attempted to crack passwords from the data, no such credential use was identified between the time of credential harvesting and incident containment,” SentinelOne said.
It says, “NGFW tools have become ubiquitous because they provide strong network monitoring capabilities for organizations by integrating the security controls of the firewall with other management features such as AD.” “However, these tools are high-value targets for actors with a variety of motivations and skill levels, from state-aligned actors conducting espionage to financially motivated attacks such as ransomware.”
