Cybersecurity researchers are highlighting a concerning new campaign where threat actors are exploiting FortiGate Next-Generation Firewall (NGFW) appliances as a primary entry point to compromise victim networks. This innovative exploitation tactic targets organizations within the healthcare, government, and managed service provider sectors, leveraging either recently disclosed vulnerabilities or weak credentials.
The campaign, detailed by SentinelOne, involves extracting configuration files from compromised FortiGate devices. These files can contain sensitive service account credentials and crucial network topology information, providing attackers with invaluable insights and access to critical systems. The considerable access and integration capabilities of these network appliances make them a highly attractive target for malicious actors.
FortiGate Exploitation Campaign Uncovered
According to SentinelOne’s report, threat actors are specifically targeting FortiGate NGFW appliances, which often possess extensive access to the environments they are designed to protect. This access can include service accounts linked to authentication infrastructure such as Active Directory (AD) and Lightweight Directory Access Protocol (LDAP). This configuration is typically employed to enable role mapping and improve the response speed of network security alerts detected by the device.
However, this inherent functionality creates a significant vulnerability. Attackers who gain initial access to FortiGate devices, either through known exploits—identified as CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858—or through misconfigurations, can then leverage this access for malicious purposes. The research indicates that this campaign has been ongoing and evolving, with significant activity observed in late 2025 and early 2026.
Attack Vectors and Post-Exploitation Activities
In one documented instance, attackers breached a FortiGate appliance in November 2025. They subsequently created a new local administrator account named “support.” This account was then used to establish four new firewall policies, granting unrestricted access across all network zones. The attackers maintained periodic checks to ensure persisted access, a behavior consistent with initial access brokers (IABs) seeking to establish and monetize footholds in networks.
The next phase of the attack was observed in February 2026, when attackers are believed to have extracted a configuration file containing encrypted service account LDAP credentials. SentinelOne’s analysis suggests that the attackers successfully decrypted this file and utilized the credentials of the “fortidcagent” service account. This allowed them to authenticate directly to the victim’s Active Directory environment. Following this, rogue workstations were enrolled in AD, granting the attackers deeper access within the network.
Another incident investigated in late January 2026 revealed a rapid progression from firewall compromise to the deployment of remote access tools. Threat actors in this case utilized applications like Pulseway and MeshAgent. Furthermore, they downloaded malware from a cloud storage bucket via PowerShell, hosted on Amazon Web Services (AWS) infrastructure. The downloaded Java malware was executed through DLL side-loading and was employed to exfiltrate the NTDS.dit file and SYSTEM registry hive to an external server over port 443.
While the attackers may have attempted to crack passwords from the harvested data, SentinelOne noted that no direct credential usage was identified between the time of credential harvesting and the subsequent incident containment. This suggests a sophisticated approach aimed at stealth and persistent access.
Implications and Future Outlook
Next-Generation Firewall (NGFW) appliances have become indispensable for organizations due to their robust network monitoring capabilities and the integration of firewalls with management features such as Active Directory. However, as this recent campaign illustrates, these devices are high-value targets for a wide range of malicious actors, from state-aligned entities conducting espionage to financially motivated groups focused on ransomware and other cybercrimes.
The ongoing exploitation of FortiGate devices highlights the persistent threat landscape and the need for continuous vigilance in network security. Organizations are advised to ensure their FortiGate appliances are patched with the latest security updates, review their configurations for any misconfigurations, and implement strong credential management practices for all service accounts. The trend of attackers leveraging trusted network infrastructure components as entry points is expected to continue, necessitating a proactive and adaptive defense strategy from cybersecurity professionals.