Cybersecurity researchers have uncovered a sophisticated campaign where threat actors are weaponizing FortiGate Next-Generation Firewall (NGFW) appliances as entry points to breach victim networks. The activity, documented by SentinelOne, targets healthcare, government, and managed service provider environments.
How FortiGate Integration Becomes a Vulnerability
FortiGate appliances often integrate directly with Active Directory (AD) and Lightweight Directory Access Protocol (LDAP) for role-based access control. This integration—designed to enhance security response—creates a critical attack surface when adversaries gain access to these devices.
“FortiGate network appliances have considerable access to the environments they were installed to protect,” the SentinelOne research team noted. “In many configurations, this includes service accounts which are connected to the authentication infrastructure, such as Active Directory and LDAP.”
Attack Methodology
Threat actors are exploiting recently disclosed vulnerabilities including:
- CVE-2025-59718 and CVE-2025-59719 – Actively exploited FortiGate flaws
- CVE-2026-24858 – FortiCloud SSO authentication bypass
In one documented incident from November 2025, attackers breached a FortiGate appliance and created a rogue administrator account named “support.” They then configured four new firewall policies allowing unrestricted zone traversal—classic initial access broker (IAB) behavior designed to establish persistent access for sale to other criminal actors.
Credential Extraction and Lateral Movement
The attack chain progressed in February 2026 when the same or another attacker extracted the FortiGate configuration file containing encrypted LDAP service account credentials. Evidence shows the attacker successfully decrypted these credentials and authenticated to the victim’s Active Directory using clear text credentials from the fortidcagent service account.
Post-authentication, the adversary enrolled rogue workstations in the AD environment, enabling deeper network access. Network scanning was initiated before defenders detected and contained the breach.
Malware and Remote Access Tools
In a separate January 2026 incident, attackers rapidly deployed remote access tools including Pulseway and MeshAgent after compromising the firewall. Additional malware was downloaded from AWS infrastructure via PowerShell, including a Java-based payload delivered through DLL side-loading.
This malware was used to exfiltrate the NTDS.dit file and SYSTEM registry hive to an external server over port 443—a technique designed to harvest domain credentials en masse.
Why This Matters
This campaign highlights how network security devices themselves have become high-value targets. NGFW appliances are attractive to threat actors ranging from state-aligned espionage groups to financially motivated ransomware operators because of their privileged position within enterprise networks.
Recommended Actions:
- Immediately patch FortiGate devices against CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858
- Audit service accounts with AD/LDAP integration privileges
- Review firewall policies for unauthorized modifications
- Monitor for rogue administrator account creation
- Implement network segmentation between security appliances and critical AD infrastructure
Source: The Hacker News
