Cybersecurity experts are sounding the alarm about a newly observed campaign in which attackers are exploiting FortiGate Next-Generation Firewall (NGFW) appliances as initial access points to infiltrate target networks.
According to a report released today by SentinelOne, the campaign relies on abusing recently disclosed FortiGate vulnerabilities or weak administrative passwords. Once inside, adversaries extract configuration files that contain service account credentials and detailed network topology information. The attacks have primarily focused on healthcare organizations, government entities, and managed service providers.
“FortiGate appliances typically have deep visibility into the networks they protect,” wrote researchers Alex Delamotte, Stephen Bromfield, Mary Braden Murphy, and Amey Patne. “In many deployments, these devices are integrated with authentication services like Active Directory (AD) or LDAP through service accounts.”
This integration allows firewalls to retrieve attributes tied to user sessions and correlate them with directory data a capability used to enforce role‑based policies and streamline security event processing.
However, SentinelOne warned that this same level of access becomes a liability when attackers compromise the device, whether through known flaws such as CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858 or through misconfigured systems.
One incident described in the report involved attackers who gained unauthorized access to a FortiGate firewall in November 2025. They created a new local administrator account named “support” and configured four permissive firewall rules that allowed unrestricted movement across all network zones.
The intruders continued to check the device sporadically, behavior consistent with initial access brokers (IABs) who maintain persistence before selling access to other criminal groups. By February 2026, an attacker had allegedly retrieved the configuration file containing encrypted LDAP service account credentials.
“Available evidence indicates the attacker successfully authenticated to AD using plaintext credentials associated with the fortidcagent service account,” SentinelOne noted, implying that the intruder decrypted the device configuration and extracted sensitive credentials.
Using those credentials, the attacker accessed the victim’s environment and registered unauthorized workstations in AD, obtaining deeper network penetration. They soon began network reconnaissance, which ultimately triggered detection and prevented further lateral movement.
A separate attack analyzed in late January 2026 showed a rapid escalation from firewall compromise to installing remote access tools such as Pulseway and MeshAgent. The threat actor also downloaded additional malware hosted in an AWS cloud bucket using PowerShell.
The Java‑based malware, executed via DLL side‑loading, was used to steal the NTDS.dit database and the SYSTEM registry hive and exfiltrate them over port 443 to an external server (172.67.196[.]232).
“While the actor may have attempted password cracking, there was no observed use of stolen credentials between the harvesting event and incident containment,” the report added.
SentinelOne emphasized that NGFW appliances are widely deployed because they combine firewall capabilities with integrated network and identity management features such as AD. But this same functionality makes them valuable targets for a broad range of threat actors—from espionage-focused groups to financially motivated cybercriminals, including ransomware operators.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
