Threat actors are abusing FortiGate Next-Generation Firewall (NGFW) appliances as entry points to infiltrate victim networks, a report published by SentinelOne says.
Attackers are exploiting recently disclosed vulnerabilities or weak credentials to gain access to FortiGate devices and extract configuration files. The files can contain sensitive information, including service account credentials and details about internal network architecture. The campaign has mainly targeted organizations in healthcare, government, and managed service provider (MSP) environments.
FortiGate appliances often integrate closely with authentication systems such as Active Directory (AD) and Lightweight Directory Access Protocol (LDAP) to map users to network roles and enforce security policies. While this integration improves network monitoring and response capabilities, it also gives attackers an opportunity to leverage the connections if the device is compromised.
Threat actors are exploiting a number of FortiCloud vulnerabilities as part of the campaign, including CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858.
In one case, attackers breached a FortiGate appliance in November 2025 and created a new administrator account called “support.” They then added four firewall policies allowing the account unrestricted movement across all network zones. The attackers periodically checked access to the device, behavior researchers say is consistent with an initial access broker establishing persistence before selling access to other cybercriminals.
The second stage of the attack was detected in February 2026, when the threat actor extracted a configuration file containing encrypted LDAP service account credentials. SentinelOne believes the attacker decrypted the file and used the credentials from the “fortidcagent” service account to authenticate to the victim’s Active Directory environment.
With the stolen credentials, the attacker enrolled rogue workstations in the directory service to gain deeper access.
In another incident in January 2026, attackers deployed remote management tools such as Pulseway and MeshAgent. They also used PowerShell to download malware hosted on infrastructure from Amazon Web Services.
The malware, written in Java and executed through DLL side-loading, was designed to exfiltrate the contents of the Active Directory database file (NTDS.dit) and the SYSTEM registry hive to an external server over port 443. While the attacker may have intended to crack passwords from the stolen data, researchers found no evidence that the credentials were used before the incident was contained.