In early 2026, a wave of cyber intrusions targeted FortiGate Next-Generation Firewalls (NGFW), allowing attackers to gain persistent access within enterprise networks. These breaches were disrupted by security measures during the lateral movement phase, preventing attackers from fully realizing their goals.
Exploiting FortiGate Vulnerabilities
The attacks, identified by SentinelOne, exploited three critical vulnerabilities in Fortinet’s systems, disclosed between December 2025 and February 2026. Two major vulnerabilities, CVE-2025-59718 and CVE-2025-59719, both with a CVSS score of 9.8, involved improper cryptographic signature verification, enabling unauthorized access through crafted SAML tokens. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-59718 to its catalog of known exploited vulnerabilities, mandating remediation by January 2026.
A zero-day vulnerability, CVE-2026-24858, emerged in January 2026, allowing attackers to bypass authentication using FortiCloud accounts. Fortinet responded by temporarily suspending FortiCloud single sign-on (SSO) and deploying necessary firmware patches.
Credential Theft via Configuration Files
Once inside the network, attackers executed commands to extract FortiGate configuration files. The reversible encryption of these files enabled the decryption of embedded service account credentials, particularly affecting LDAP and Active Directory accounts. This access allowed attackers to penetrate deeper into the internal network.
In one incident, threat actors set up a local admin account named “support” and configured permissive firewall policies, facilitating unrestricted network traffic. The attackers later used stolen credentials to authenticate and join rogue workstations to the corporate domain, triggering security alerts that eventually halted further progression.
Advanced Attack Tactics and Mitigations
In another breach, attackers swiftly established local admin accounts and accessed internal servers using harvested credentials. They deployed Remote Monitoring and Management (RMM) tools from cloud storage, and concealed their activities using advanced techniques like DLL side-loading.
To mitigate such threats, SentinelOne recommends organizations maintain at least 14 days of FortiGate log retention, with a preference for 60 to 90 days. Key defensive measures include applying all available Fortinet firmware patches, rotating compromised LDAP and AD credentials, enforcing robust access controls, and monitoring unauthorized admin account creations.
Additionally, auditing mS-DS-MachineAccountQuota settings can prevent unauthorized device additions to the domain, and ensuring active monitoring of endpoint detection and response (EDR) telemetry can provide critical insights into network activities.
For more updates on cybersecurity, follow us on Google News, LinkedIn, and X. Contact us to share your cybersecurity stories.
