- Threat actors are exploiting vulnerabilities in FortiGate firewalls to gain initial network access and steal credentials.
- The campaign specifically targets environments in healthcare, government, and managed service providers for credential harvesting.
- Attackers use stolen service account credentials to deeply infiltrate networks, enrolling rogue devices and exfiltrating sensitive data.
- The activity is often consistent with initial access brokers establishing footholds to sell to other cybercriminals.
In a significant cybersecurity alert for March 2026, SentinelOne researchers Alex Delamotte, Stephen Bromfield, Mary Braden Murphy, and Amey Patne reported a new campaign where threat actors are breaching networks by exploiting FortiGate Next-Generation Firewall appliances.
The attackers exploit recently disclosed vulnerabilities like CVE-2025-59718 or use weak credentials to extract critical configuration files. Consequently, they obtain encrypted service account credentials and detailed network topology information.
This setup allows the firewall to map user roles by fetching directory attributes, which is useful for role-based policies. However, this powerful access becomes a liability when attackers compromise the device.
In one November 2025 incident, attackers created a local “support” admin account and configured unrestricted firewall policies. Meanwhile, their periodic checks suggested an initial access broker establishing a persistent foothold for resale.
By February 2026, the attacker had decrypted and used LDAP credentials from a configuration file to authenticate to Active Directory. They then enrolled rogue workstations to gain deeper network access before detection halted further movement.
In a separate January 2026 case, attackers rapidly deployed remote access tools like Pulseway and MeshAgent after gaining firewall access. Furthermore, they downloaded a Java malware payload from an AWS cloud storage bucket using PowerShell.
This malware side-loaded a DLL to exfiltrate the NTDS.dit file and SYSTEM registry hive to an external server. “While the actor may have attempted to crack passwords from the data, no such credential usage was identified between the time of credential harvesting and incident containment,” SentinelOne added.
These appliances are high-value targets for both state-aligned espionage and financially motivated ransomware attacks. Consequently, their integration with authentication infrastructure like AD makes them a potent vector for initial network intrusion.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
