Threat actors are using FortiGate Next-Generation Firewall (NGFW) appliances as entry points to breach victim networks in a new campaign that cybersecurity researchers are drawing attention to This article explores credentials fortidcagent service. . According to a report released today by SentinelOne, the activity entails taking advantage of recently revealed security flaws or weak credentials in order to extract configuration files that contain information about network topology and service account credentials.
According to the security group, the campaign has targeted settings related to government, healthcare, and managed service providers. According to security researchers Alex Delamotte, Stephen Bromfield, Mary Braden Murphy, and Amey Patne, "FortiGate network appliances have considerable access to the environments they were installed to protect."
"Service accounts that are linked to the authentication infrastructure, like Active Directory (AD) and Lightweight Directory Access Protocol (LDAP), are included in many configurations." "In situations where role-based policies are set or to increase response speed for network security alerts detected by the device, this setup can enable the appliance to map roles to specific users by fetching attributes about the connection that's being analyzed and correlating with the Directory information." However, the cybersecurity firm pointed out that attackers who gain access to FortiGate devices through known vulnerabilities (such as CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858) or misconfigurations could exploit such access.
In one instance, the attackers are alleged to have gained access to a FortiGate appliance in November 2025 in order to create a new local administrator account called "support" and use it to set up four new firewall policies that permitted the account to freely traverse all zones. Then, in a manner consistent with an initial access broker (IAB) gaining a foothold and selling it to other criminal actors for financial gain, the threat actor continued to periodically check to make sure the device was accessible. When an attacker most likely extracted the configuration file containing encrypted service account LDAP credentials in February 2026, the next stage of the activity was discovered.
According to SentinelOne, "Evidence shows the attacker authenticated to the AD using clear text credentials from the fortidcagent service account, suggesting the attacker decrypted the configuration file and extracted the service account credentials." After that, the attacker used the service account to gain deeper access by enrolling rogue workstations in the AD and authenticating to the victim's environment. After that, network scanning was started.
When the breach was found, additional lateral movement was stopped. Attackers quickly transitioned from firewall access to using remote access tools like Pulseway and MeshAgent in another case that was looked into in late January 2026. Furthermore, the threat actor used PowerShell to download malware from an Amazon Web Services (AWS) cloud storage bucket.
The contents of the NTDS.dit file and SYSTEM registry hive were exfiltrated to an external server ("172.67.196[. ]232") over port 443 by the Java malware, which was initiated via DLL side-loading.SentinelOne continued, "No such credential usage was found between the time of credential harvesting and incident containment, even though the actor may have tried to crack passwords from the data." It continued, "NGFW appliances have become ubiquitous because they provide strong network monitoring capabilities for organizations by integrating security controls of a firewall with other management features, like AD."
"However, these devices are valuable targets for actors with a range of skills and motivations, from financially motivated attacks like ransomware to state-aligned actors conducting espionage.
