Cybersecurity researchers are warning of a new campaign in which attackers are exploiting FortiGate next-generation firewall (NGFW) appliances as entry points to penetrate victim networks.
This activity involves exploiting recently disclosed security vulnerabilities or weak credentials to extract configuration files containing service account credentials and network topology information, SentinelOne said in a report released today. Security groups say the campaign has identified environments related to healthcare, government, and managed service providers.
“FortiGate network appliances have significant access to the environments they are installed to protect,” said security researchers Alex Delamotte, Stephen Bromfield, Mary Braden Murphy, and Amey Patne. “In many configurations, this includes service accounts connected to an authentication infrastructure such as Active Directory (AD) or Lightweight Directory Access Protocol (LDAP).”
“This setting allows the appliance to map roles to specific users by retrieving attributes about the connections being analyzed and correlating them with directory information. This is useful when role-based policies are configured and to speed up response to network security alerts detected by the device.”
However, the cybersecurity firm noted that such access could be exploited by attackers who compromise FortiGate devices through known vulnerabilities (such as CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858) or misconfigurations.
In one incident, attackers allegedly compromised a FortiGate appliance in November 2025, created a new local administrator account named “support,” and used it to set four new firewall policies that allowed the account to pass through all zones without restriction.
The threat actor then continued to periodically check the device to ensure it was accessible. This is consistent with Initial Access Brokers (IABs) establishing a foothold and selling to other criminals for financial gain. The next phase of activity, in which the attackers likely extracted configuration files containing encrypted service account LDAP credentials, was detected in February 2026.
SentinelOne said, “There is evidence that the attacker authenticated to AD using plaintext credentials for the fortidcagent service account, suggesting that the attacker decrypted the configuration files and extracted the service account credentials.”
The attackers then leveraged the service account to authenticate into the victim’s environment and register the rogue workstation in AD, allowing deeper access. Following this step, a network scan was initiated, at which point the compromise was detected and further lateral movement was stopped.
In another case investigated in late January 2026, attackers quickly moved from firewall access to deploying remote access tools such as Pulseway and MeshAgent. In addition, the attackers downloaded malware from cloud storage buckets via PowerShell from Amazon Web Services (AWS) infrastructure.
Java malware launched via DLL sideloading was used to exfiltrate the NTDS.dit file and the contents of the SYSTEM registry hive to an external server (‘172.67.196’).[.]232″) via port 443.
“Although the attacker may have attempted to decode passwords from the data, we did not observe any use of such credentials between the collection of the credentials and the containment of the incident,” SentinelOne added.
“NGFW appliances have become ubiquitous because they provide organizations with powerful network monitoring capabilities by integrating firewall security controls with other management functions such as AD,” it added. “However, these devices are high-value targets for attackers with a variety of motivations and skill levels, from state-sponsored espionage attackers to financially motivated attacks such as ransomware.”
Source link
