FortiGate Firewall Exploitation Campaign: Attackers Weaponize Enterprise Security Appliances to Breach Healthcare, Government, and MSP Networks

In a sophisticated and rapidly evolving cybersecurity threat landscape, SentinelOne researchers have uncovered a disturbing campaign where threat actors are systematically exploiting FortiGate Next-Generation Firewall (NGFW) appliances as strategic entry points to infiltrate and compromise victim networks across critical sectors.

The campaign, which has already impacted healthcare organizations, government agencies, and managed service providers, represents a calculated approach by adversaries who recognize that these security appliances, designed to protect networks, have become high-value targets themselves. By exploiting recently disclosed vulnerabilities or leveraging weak credentials, attackers are gaining unauthorized access to FortiGate devices and extracting configuration files containing service account credentials and comprehensive network topology information.

“FortiGate network appliances have considerable access to the environments they were installed to protect,” explained a team of SentinelOne security researchers including Alex Delamotte, Stephen Bromfield, Mary Braden Murphy, and Amey Patne. “In many configurations, this includes service accounts which are connected to the authentication infrastructure, such as Active Directory (AD) and Lightweight Directory Access Protocol (LDAP).”

This architectural reality creates a paradoxical situation where the very devices meant to safeguard networks become potential Achilles’ heels when compromised. The FortiGate’s deep integration with authentication systems allows it to map user roles by fetching connection attributes and correlating them with directory information, a feature that proves invaluable for role-based policies and network security alert responses. However, this same access becomes a devastating weapon when attackers successfully breach the appliance.

The exploitation methodology involves several critical vulnerabilities that have been disclosed in recent months, including CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858. These security flaws, combined with common misconfigurations and weak credential practices, provide multiple attack vectors for determined adversaries.

In one particularly revealing incident from November 2025, attackers demonstrated sophisticated tactics by breaching a FortiGate appliance and immediately creating a new local administrator account named “support.” This wasn’t a random choice—the name suggests an attempt to blend in with legitimate administrative activity. The attackers then configured four new firewall policies that granted this account unrestricted traversal across all network zones, effectively creating a backdoor with maximum privileges.

What makes this campaign particularly concerning is the apparent involvement of initial access brokers (IABs)—cybercriminals who specialize in gaining network footholds and selling that access to other criminal actors. The November breach showed clear signs of this business model in action, with the threat actor periodically checking the compromised device’s accessibility over an extended period. This behavior aligns perfectly with an IAB establishing a persistent foothold before marketing the access to other malicious actors for financial gain.

The campaign’s evolution became even more apparent in February 2026 when a different attacker—likely the buyer of the initial access—extracted the FortiGate configuration file containing encrypted service account LDAP credentials. The attackers successfully decrypted these credentials and used the fortidcagent service account to authenticate to the victim’s Active Directory environment.

Once inside the AD infrastructure, the attackers deployed a classic enterprise compromise technique: enrolling rogue workstations into the directory. This maneuver provides attackers with deeper, more persistent access to the network, allowing them to blend their malicious activities with legitimate user and device traffic. Following this, the attackers initiated comprehensive network scanning operations, which ultimately triggered detection mechanisms and halted their lateral movement before they could establish more extensive control.

A second incident investigated in late January 2026 demonstrated an even more aggressive and sophisticated approach. In this case, attackers moved with remarkable speed from initial firewall access to deploying remote access tools including Pulseway and MeshAgent—commercial software that, while legitimate, can be weaponized for unauthorized remote administration and data exfiltration.

The attackers then downloaded malware from a cloud storage bucket using PowerShell commands executed from Amazon Web Services infrastructure. This malware, written in Java and launched through DLL side-loading—a technique that exploits how Windows loads dynamic link libraries—was specifically designed for credential harvesting operations.

The malicious code successfully exfiltrated the contents of the NTDS.dit file and SYSTEM registry hive to an external server located at IP address 172.67.196.232 over port 443, which is typically used for HTTPS traffic and often allowed through firewalls. The NTDS.dit file contains Active Directory database information, including user account details and password hashes, while the SYSTEM hive contains encryption keys necessary to access that data.

“While the actor may have attempted to crack passwords from the data, no such credential usage was identified between the time of credential harvesting and incident containment,” SentinelOne noted, suggesting that the breach was detected and mitigated before attackers could fully exploit the stolen credentials.

The implications of these attacks extend far beyond individual incidents. Fortinet’s FortiGate appliances have achieved widespread adoption precisely because they offer robust network monitoring capabilities by integrating traditional firewall functions with advanced management features, including Active Directory integration. This comprehensive approach makes them indispensable for organizations seeking unified security solutions.

However, this very ubiquity and capability have transformed these devices into prime targets for attackers with diverse motivations and skill levels. The threat landscape includes state-aligned actors conducting espionage operations, financially motivated criminal groups pursuing ransomware campaigns, and sophisticated cybercrime syndicates seeking to establish long-term network access for various malicious purposes.

The campaign underscores a critical security principle that organizations must internalize: security appliances themselves require the same rigorous protection, monitoring, and hardening as any other network asset. The fact that these devices often sit at network perimeters and possess elevated privileges makes them particularly attractive targets, but also means that their compromise can provide attackers with privileged access paths into otherwise well-defended internal networks.

Organizations using FortiGate appliances or similar NGFW solutions should immediately review their security postures, ensuring that all devices run the latest firmware versions with security patches applied, that strong authentication mechanisms are enforced, and that configuration files are properly secured and monitored for unauthorized access. Regular security assessments of these critical infrastructure components should become standard practice rather than an afterthought.

The campaign also highlights the evolving nature of cyber threats, where initial access brokers create a marketplace for network compromises, allowing less technically sophisticated criminals to purchase ready-made access to high-value targets. This commodification of network breaches represents a significant escalation in the cybercrime ecosystem and demands equally sophisticated defensive strategies.

As organizations continue to digitize operations and expand their network perimeters, the security of network infrastructure devices like FortiGate appliances will only grow in importance. The current campaign serves as a stark reminder that in modern cybersecurity, there are no islands of safety—every component of the security infrastructure must be defended with the same vigilance applied to the most sensitive data assets.

Fortinet has not yet issued specific guidance regarding this campaign, though the company typically responds to such reports with security advisories and recommended mitigation steps. Organizations concerned about their FortiGate deployments should monitor Fortinet’s security advisories and consider engaging with cybersecurity professionals to assess their specific exposure to these attack techniques.

The convergence of sophisticated attack techniques, the monetization of network access through initial access broker markets, and the critical role of security appliances in modern network architectures creates a perfect storm of cybersecurity challenges that organizations must navigate with increased awareness and proactive defense measures.

fortinet #cybersecurity #fortigate #ngfw #networksecurity #vulnerability #activeDirectory #ldap #initialaccessbroker #ransomware #espionage #healthcare #government #msp #sentinelone #cyberattack #databreach #securityappliance #firewall #cve #exploit #malware #credentialharvesting #ntdsdit #systemregistry #powershell #aws #cloudsecurity #cyberthreat #digitaldefense #infosec #technologynews

,