Cybersecurity researchers are calling consideration to a brand new marketing campaign the place menace actors are abusing FortiGate Subsequent-Era Firewall (NGFW) home equipment as entry factors to breach sufferer networks.
The exercise includes the exploitation of lately disclosed safety vulnerabilities or weak credentials to extract configuration recordsdata containing service account credentials and community topology info, SentinelOne mentioned in a report revealed at present. The safety outfit mentioned the marketing campaign has singled out environments tied to healthcare, authorities, and managed service suppliers.
“FortiGate community home equipment have appreciable entry to the environments they have been put in to guard,” safety researchers Alex Delamotte, Stephen Bromfield, Mary Braden Murphy, and Amey Patne mentioned. “In lots of configurations, this contains service accounts that are linked to the authentication infrastructure, resembling Energetic Listing (AD) and Light-weight Listing Entry Protocol (LDAP).”
“This setup can allow the equipment to map roles to particular customers by fetching attributes in regards to the connection that’s being analyzed and correlating with the Listing info, which is helpful in instances the place role-based insurance policies are set or for growing response velocity for community safety alerts detected by the gadget.”
Nonetheless, the cybersecurity firm famous that such entry could possibly be exploited by attackers who break into FortiGate gadgets via identified vulnerabilities (e.g., CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858) or misconfigurations.
In a single incident, the attackers are mentioned to have breached a FortiGate equipment in November 2025 to create a brand new native administrator account named “help” and used it to arrange 4 new firewall insurance policies that allowed the account to traverse all zones with none restrictions.
The menace actor then stored periodically checking to make sure the gadget was accessible, an motion per an preliminary entry dealer (IAB) establishing a foothold and promoting it to different legal actors for financial acquire. The following part of the exercise was detected in February 2026 when an attacker doubtless extracted the configuration file containing encrypted service account LDAP credentials.
“Proof demonstrates the attacker authenticated to the AD utilizing clear textual content credentials from the fortidcagent service account, suggesting the attacker decrypted the configuration file and extracted the service account credentials,” SentinelOne mentioned.
The attacker then leveraged the service account to authenticate to the sufferer’s surroundings and enroll rogue workstations within the AD, permitting them deeper entry. Following this step, community scanning was initiated, at which level the breach was detected, and additional lateral motion was halted.
In one other case investigated in late January 2026, attackers swiftly moved from firewall entry to deploying distant entry instruments like Pulseway and MeshAgent. As well as, the menace actor downloaded malware from a cloud storage bucket by way of PowerShell from Amazon Net Companies (AWS) infrastructure.
The Java malware, launched by way of DLL side-loading, was used to exfiltrate the contents of the NTDS.dit file and SYSTEM registry hive to an exterior server (“172.67.196[.]232”) over port 443.
“Whereas the actor could have tried to crack passwords from the info, no such credential utilization was recognized between the time of credential harvesting and incident containment,” SentinelOne added.
“NGFW home equipment have grow to be ubiquitous as a result of they supply sturdy community monitoring capabilities for organizations by integrating safety controls of a firewall with different administration options, resembling AD,” it added. “Nonetheless, these gadgets are high-value targets for actors with quite a lot of motivations and ability ranges, from state-aligned actors conducting espionage to financially motivated assaults resembling ransomware.”
