SentinelOne says attackers have been compromising FortiGate Next-Generation Firewall appliances and using the access to extract configuration files, decrypt embedded service account credentials, and move deeper into targeted environments. The incident response firm said it responded to multiple such cases in early 2026, with lateral movement detected and stopped after the FortiGate devices had already been abused as footholds.

According to SentinelOne’s report, the activity took place during a period in which Fortinet products were reportedly exploited through CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858, though the company said weak credentials could also provide access without a weaponized exploit. Once inside, attackers ran the show full-configuration command to dump appliance configurations, then decrypted stored service account credentials and used the data for follow-on compromise.

“We observed a consistent theme: targeted organizations fail to retain sufficient logs on these appliances, which prevents understanding exactly how and when attackers gained access.” — SentinelOne

Rogue domain workstations followed theft of FortiGate service account credentials

In one incident detailed by SentinelOne, the compromise likely began in late November 2025 and remained undetected through February 2026. After accessing the FortiGate appliance, the actor created a new local administrator account named support and added four firewall policies that allowed the account to traverse all zones. SentinelOne said the attacker later extracted the device configuration and recovered clear-text Active Directory credentials for the fortidcagent service account.

The service account was then used to authenticate to the environment from IP address 193[.]24[.]211[.]61. SentinelOne said the attacker abused the mS-DS-MachineAccountQuota attribute to join two rogue workstations to Active Directory, named WIN-X8WRBOSK0OF and WIN-YRSXLEONJY2. The actor then conducted network scanning and password spraying, with activity also observed from 185[.]156[.]73[.]62 and 185[.]242[.]246[.]127. The incident generated identity alerts and included delete.me artifacts that suggested use of SoftPerfect Network Scanner for enumeration.

Second intrusion used RMM tools and stole NTDS.dit from a domain controller

In a second case, SentinelOne said the threat actor created a FortiGate local administrator account named ssl-admin and again likely harvested Active Directory administrator credentials from the decrypted appliance configuration. Within 10 minutes of creating the FortiGate account, the actor logged into multiple servers with the built-in Domain Administrator account and began staging tools in C:\ProgramData\USOShared.

SentinelOne said the attacker downloaded Pulseway from hxxps://storage.googleapis[.]com/apply-main/windows_agent_x64[.]msi and installed MeshAgent on a domain controller and file share. The actor set the Windows Registry value SystemComponent=1 to hide MeshAgent from the Programs and Features list, then created scheduled tasks named JavaMainUpdate and MeshUserTask. The same intrusion downloaded a ZIP archive from hxxps://fastdlvrss[.]s3[.]us-east-1[.]amazonaws[.]com/paswr.zip, unpacked it into C:\ProgramData\USOShared, and executed java.exe to side-load malicious DLLs.

The Java-loaded payload beaconed to ndibstersoft[.]com and neremedysoft[.]com, and the attacker used PsExec to push the payload to additional servers, including primary and secondary domain controllers. SentinelOne said the actor then created a Volume Shadow Copy backup of the primary domain controller through WMIC, extracted NTDS.dit and the SYSTEM registry hive, compressed the files with makecab, and established a connection on port 443 to 172[.]67[.]196[.]232, a Cloudflare-owned IP address, before the compressed files were deleted.

SentinelOne said it did not find evidence tying the observed intrusions to the actor described in Amazon Security’s recent reporting, but warned that edge devices such as FortiGate appliances remain attractive targets for espionage, financially motivated intrusions, and ransomware access brokers. The findings overlap with Cyberwarzone’s earlier coverage of high-impact enterprise software flaws and global cybercrime disruption efforts targeting malicious infrastructure.

About the Author