CYBERSECURITY researchers have highlighted a campaign in which threat actors are abusing FortiGate NGFW appliances as entry points to breach networks, severing into environments by exploiting recently disclosed flaws or weak credentials to harvest configuration files that contain service account credentials and topology data, according to SentinelOne.
The analysis notes targeted sectors including healthcare, government, and managed service providers, with FortiGate devices often having broad access to protected networks and authentication infrastructure such as Active Directory and LDAP. The attackers are said to have breached a FortiGate appliance in November 2025 to create a local administrator account named “support” and to have used this access to set up four new firewall policies, enabling unrestricted traversal across zones.
In February 2026, investigators observed the likely extraction of a configuration file containing encrypted service account LDAP credentials, which the attackers allegedly used to authenticate to AD and deploy rogue workstations before lateral movement was halted.
In another late-January 2026 case, the group moved from firewall access to deploying remote access tools such as Pulseway and MeshAgent, and downloaded malware from a cloud storage bucket via PowerShell from AWS infrastructure, with NTDS[.]dit and SYSTEM registry hive data exfiltrated to an external server. according to SentinelOne, these incidents illustrate how NGFW appliances can become high-value targets for both espionage-driven and financially motivated attackers.