Back to News
Cyber Attack

FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials

FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials

Cybersecurity firm SentinelOne said attackers are actively abusing FortiGate next-generation firewalls to gain initial access to corporate networks, extract configuration files, and retrieve service account credentials. SentinelOne added that the campaign has focused on healthcare organizations, government entities, and managed service providers.

How the attacks work

SentinelOne researchers explained that threat actors are exploiting recently disclosed vulnerabilities and weak administrative credentials to access FortiGate appliances. “FortiGate network appliances have considerable access to the environments they were installed to protect,” researchers Alex Delamotte, Stephen Bromfield, Mary Braden Murphy, and Amey Patne wrote. “In many configurations, this includes service accounts which are connected to the authentication infrastructure, such as Active Directory (AD) and Lightweight Directory Access Protocol (LDAP).”

The company said attackers have used known flaws, including CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858, or simple misconfigurations to retrieve configuration backups. Those backups can contain encrypted or clear text credentials for LDAP and AD integration. SentinelOne reported that in at least one incident attackers created a local administrator account named “support,” added permissive firewall policies, and periodically checked access to maintain a foothold.

In one timeline SentinelOne described, an appliance compromise in November 2025 led to the creation of new admin access and firewall policy changes. By February 2026 the threat actor had extracted a configuration file and, the company said, “authenticated to the AD using clear text credentials from the fortidcagent service account, suggesting the attacker decrypted the configuration file and extracted the service account credentials.” Those credentials were then used to enroll rogue workstations and scan the network before defenders detected lateral movement.

In another case investigated in late January 2026, SentinelOne said attackers moved quickly from firewall access to deploying remote management tools such as Pulseway and MeshAgent, used PowerShell to download payloads from cloud storage, and executed Java malware via DLL side-loading. The investigator reported that attackers exfiltrated copies of NTDS.dit and the SYSTEM registry hive to an external server over port 443.

Why FortiGate appliances matter to attackers

SentinelOne noted that next-generation firewalls are popular because they combine packet filtering with integration into directory services, role mapping, and other features that speed up detection and response. That same privileged position makes them high-value targets. “NGFW appliances have become ubiquitous because they provide strong network monitoring capabilities for organizations by integrating security controls of a firewall with other management features, such as AD,” SentinelOne said.

Practical steps defenders should take

SentinelOne’s Digital Forensics & Incident Response (DFIR) team recommended several mitigations to reduce risk:

  • Enforce strong administrative access controls and unique, complex passwords for appliance accounts. SentinelOne said many incidents stemmed from weak credentials.
  • Keep FortiGate firmware and management components patched for known CVEs, including those cited by SentinelOne.
  • Limit service account privileges and avoid storing unnecessary credentials on appliances.
  • Retain FortiGate logs for at least 14 days, and ideally 60 to 90 days, sending logs to a SIEM so anomalous actions such as new local admin creation or config exports are detected quickly.
  • Segment administrative interfaces and monitor for outbound connections and unusual traffic to cloud storage or command-and-control hosts.

“Throughout early 2026, SentinelOne’s Digital Forensics & Incident Response (DFIR) team has responded to several incidents where FortiGate Next-Generation Firewall (NGFW) appliances have been compromised to establish a foothold into the targeted environment,” the DFIR team said. “Each incident was detected and stopped during the lateral movement phase of the attack.”

The message from SentinelOne is clear: because NGFWs often sit close to identity systems, defenders should treat them as high-risk assets, keep them patched, restrict access, and ensure robust logging so a breach can be discovered and contained before credentials are abused.

#FortiGate #CyberSecurity #SentinelOne #NetworkSecurity #IncidentResponse