Cybersecurity researchers have uncovered a campaign in which threat actors are exploiting vulnerabilities in FortiGate Next‑Generation Firewall devices to gain unauthorized access to corporate networks and steal sensitive credentials.
According to a report from SentinelOne, attackers are targeting firewall appliances by exploiting recently disclosed security flaws or by using weak authentication credentials. Once inside the system, they extract configuration files that may contain service account credentials and details about the organization’s internal network structure.
The campaign has reportedly targeted organizations in sectors such as healthcare, government institutions, and managed service providers.
Why FortiGate Appliances Are Valuable Targets
Firewall appliances like FortiGate typically have extensive access to internal environments because they manage network traffic and security policies.
In many deployments, these devices connect to authentication systems such as:
- Active Directory
- Lightweight Directory Access Protocol
This integration allows the firewall to identify users and apply role based security policies by retrieving identity information from directory services. However, this same level of access can become a security risk if attackers compromise the appliance.
Vulnerabilities Used in the Attacks
Researchers observed attackers exploiting known FortiGate vulnerabilities, including:
By abusing these weaknesses or misconfigurations, attackers were able to access firewall systems and extract configuration files containing encrypted service account credentials.
Example Breach Scenario
In one incident reported by SentinelOne, attackers compromised a FortiGate appliance in November 2025.
After gaining access, they created a new local administrator account named “support.” Using this account, the attackers configured four new firewall policies that allowed unrestricted network access across all security zones.
The attacker periodically verified access to the compromised system, behavior commonly associated with an Initial Access Broker (IAB) preparing to sell access to other cybercriminal groups.
Credential Theft and Active Directory Abuse
Several months later, in February 2026, the attackers extracted the firewall’s configuration file. Investigators believe they decrypted the file to obtain credentials belonging to the fortidcagent service account.
Using these credentials, the attackers successfully authenticated with the victim’s Active Directory environment. They then enrolled unauthorized workstations into the directory, allowing deeper penetration into the network.
The attackers began conducting internal network scans before the intrusion was detected and containment measures were applied.
Malware Deployment and Data Exfiltration
In another investigated case from January 2026, attackers quickly escalated their activity after accessing a firewall.
They deployed remote access tools such as:
- Pulseway
- MeshAgent
Additionally, malicious files were downloaded using PowerShell from infrastructure hosted on Amazon Web Services.
A Java based malware payload was executed using DLL side loading techniques. The malware attempted to extract sensitive directory data including the NTDS.dit database and the SYSTEM registry hive. These files were transmitted to an external server (172.67.196[.]232) through port 443.
Growing Threat to Network Security Devices
Security researchers warn that modern next generation firewalls are becoming high value targets because they provide deep visibility and control over enterprise networks.
While these devices are designed to protect organizations, their privileged access also makes them attractive targets for attackers ranging from state sponsored espionage groups to financially motivated cybercriminals such as ransomware operators.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
