Cybersecurity experts are raising alarms about a recent campaign where cybercriminals are targeting FortiGate Next-Generation Firewall (NGFW) devices to infiltrate networks. This activity, detailed in a report by SentinelOne, involves exploiting newly revealed vulnerabilities or weak passwords to obtain configuration files rich with service account credentials and network topology data. The campaign particularly targets healthcare, government, and managed service provider environments.
Entry Points and Vulnerabilities
FortiGate appliances, which are integral to network security, have extensive access to the systems they protect. According to security researchers Alex Delamotte, Stephen Bromfield, Mary Braden Murphy, and Amey Patne, these devices often connect to authentication systems like Active Directory (AD) and Lightweight Directory Access Protocol (LDAP). This connectivity allows them to map user roles by correlating connection attributes with directory information, enhancing response times for security alerts.
However, these same features make FortiGate devices attractive targets for attackers. Exploiting known vulnerabilities such as CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858, or misconfigurations, attackers can gain unauthorized access. In a notable incident from November 2025, attackers breached a FortiGate appliance to create an administrative account called ‘support’ and established firewall policies that enabled unrestricted access across zones.
Credential Theft and Network Infiltration
After establishing a foothold, the attackers regularly verified the device’s accessibility, indicative of an Initial Access Broker (IAB) seeking to sell network access. By February 2026, an attacker extracted a configuration file containing encrypted LDAP credentials. SentinelOne reports that the attacker decrypted these credentials, using them to authenticate to the AD and enroll rogue devices, thereby extending their network access.
Subsequent network scanning led to the detection of the breach, halting further lateral movements. In another investigation in January 2026, attackers transitioned from firewall access to deploying remote access tools like Pulseway and MeshAgent, downloading malware via PowerShell from Amazon Web Services (AWS) to exfiltrate sensitive data.
Impact and Defensive Measures
The Java-based malware employed DLL side-loading to extract the NTDS.dit file and SYSTEM registry information to an external server. Although there was no evidence of credential misuse during this period, the potential for damage remains significant. NGFW appliances like FortiGate are pervasive due to their integrated security and management capabilities, making them lucrative targets for attackers ranging from espionage-focused state actors to financially driven cybercriminals.
Organizations must remain vigilant and ensure their FortiGate devices are regularly updated and properly configured to mitigate these risks. Enhanced monitoring and swift incident response protocols are essential in defending against such sophisticated cyber threats.
