FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials  Ravie Lakshmanan  Mar 10, 2026 Network Security / Vulnerability Cybersecurity researchers are calling attention to a new campaign where threat actors are abusing FortiGate Next-Generation Firewall (NGFW) appliances as entry points to breach victim networks. The activity involves the exploitation of recently disclosed security vulnerabilities or weak credentials to extract configuration files containing service account credentials and network topology information, SentinelOne said in a report published today. The security outfit said the campaign has singled out environments tied to healthcare, government, and managed service providers. "FortiGate network appliances have considerable access to the environments they were installed to protect," security researchers Alex Delamotte, Stephen Bromfield, Mary Braden Murphy, and Amey Patne said . "In many configurations, this includes service accounts which are connected to the authentication infrastructure, such as Active Directory (AD) and Lightweight Directory Access Protocol (LDAP)." "This setup can enable the appliance to map roles to specific users by fetching attributes about the connection that’s being analyzed and correlating with the Directory information, which is useful in cases where role-based policies are set or for increasing response speed for network security alerts detected by the device." However, the cybersecurity company noted that such access could be exploited by attackers who break into FortiGate devices through known vulnerabilities (e.g., CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858) or misconfigurations . In one incident, the attackers are said to have breached a FortiGate appliance in November 2025 to create a new local administrator account named "support" and used it to set up four new firewall policies that allowed the account to traverse all zones without any restrictions. The threat actor then kept periodically checking to ensure the device was accessible, an action consistent with an initial access broker (IAB) establishing a foothold and selling it to other criminal actors for monetary gain. The next phase of the activity was detected in February 2026 when an attacker likely extracted the configuration file containing encrypted service account LDAP credentials. "Evidence demonstrates the attacker authenticated to the AD using clear text credentials from the fortidcagent service account, suggesting the attacker decrypted the configuration file and extracted the service account credentials," SentinelOne said. The attacker then leveraged the service account to authenticate to the victim's environment and enroll rogue workstations in the AD, allowing them deeper access. Following this step, network scanning was initiated, at which point the breach was detected, and further lateral movement was halted. In another case investigated in late January 2026, attackers swiftly moved from firewall access to deploying remote access tools like Pulseway and MeshAgent. In addition, the threat actor downloaded malware from a cloud storage bucket via PowerShell from Amazon Web Services (AWS) infrastructure. The Java malware, launched via DLL side-loading, was used to exfiltrate the contents of the NTDS.dit file and SYSTEM registry hive to an external server ("172.67.196[.]232") over port 443. "While the actor may have attempted to crack passwords from the data, no such credential usage was identified between the time of credential harvesting and incident containment," SentinelOne added. "NGFW appliances have become ubiquitous because they provide strong network monitoring capabilities for organizations by integrating security controls of a firewall with other management features, such as AD," it added. "However, these devices are high-value targets for actors with a variety of motivations and skill levels, from state-aligned actors conducting espionage to financially motivated attacks such as ransomware." Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post. SHARE      Tweet  Share  Share  Share   Share on Facebook  Share on Twitter  Share on Linkedin  Share on Reddit  Share on Hacker News  Share on Email  Share on WhatsApp Share on Facebook Messenger  Share on Telegram SHARE  Active Directory , Credential Theft , cybersecurity , Firewall Security , Fortinet , Malware , network security , Threat Intelligence , Vulnerability Trending News ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Popular Resources Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths Identity Controls Checklist: Find Missing Protections in Apps