In early 2026, a series of sophisticated cyberattacks targeted Fortinet’s FortiGate Next-Generation Firewalls (NGFW), enabling unauthorized access to enterprise networks and the exfiltration of sensitive credentials. These incidents, intercepted during the lateral movement phase, underscore the critical need for organizations to fortify their cybersecurity defenses.
Exploitation of Critical Vulnerabilities
The attacks exploited three high-severity vulnerabilities disclosed between December 2025 and February 2026:
1. CVE-2025-59718 and CVE-2025-59719: These vulnerabilities, each with a CVSS score of 9.8, stem from improper verification of cryptographic signatures (CWE-347). They allow unauthenticated attackers to send crafted SAML tokens, granting administrative access to FortiGate devices without valid credentials. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-59718 to its Known Exploited Vulnerabilities catalog, mandating remediation by January 23, 2026.
2. CVE-2026-24858: Identified as a zero-day vulnerability actively exploited in January 2026, this flaw enables attackers to log into victim FortiGate devices using their own FortiCloud accounts. Fortinet temporarily suspended FortiCloud Single Sign-On (SSO) on January 26, 2026, and issued firmware patches requiring customers to upgrade before restoring SSO functionality.
In addition to these exploits, lower-skilled actors have been scanning for open FortiGate instances, attempting logins using weak or default credentials, thereby lowering the technical barrier for initial access.
Credential Extraction and Lateral Movement
Once inside the compromised systems, attackers executed the `show full-configuration` command to extract the complete FortiGate configuration file. Due to FortiOS’s reversible encryption scheme, adversaries decrypted embedded service account credentials, particularly those for LDAP and Active Directory (AD) accounts, facilitating direct pivoting into internal networks.
Incident 1: Initial Access Broker and Rogue Domain Workstations
In one incident, the compromise likely began in late November 2025 and remained undetected until February 2026, resulting in a dwell time of approximately two months. The threat actor created a local FortiGate admin account named support and added four permissive firewall policies, enabling unrestricted traffic across all network zones. This low activity volume is consistent with an Initial Access Broker (IAB) establishing and verifying access before transferring it to another buyer.
In February 2026, the attacker authenticated to Active Directory using the decrypted `fortidcagent` service account credentials from IP address 193.24.211[.]61. They exploited the `mS-DS-MachineAccountQuota` attribute to join two rogue workstations—WIN-X8WRBOSK0OF and WIN-YRSXLEONJY2—to the corporate domain. Password spraying originating from the FortiGate appliance IP, combined with artifacts linked to SoftPerfect Network Scanner, triggered security alerts and ultimately halted further lateral movement.
Incident 2: Remote Monitoring and Management Deployment and NTDS Exfiltration
In another incident investigated in late January 2026, the attacker created a local admin account named ssl-admin on the compromised FortiGate device. Within 10 minutes, they logged into multiple internal servers using domain administrator credentials harvested from the decrypted configuration file.
The actor staged files in `C:\ProgramData\USOShared` and deployed two Remote Monitoring and Management (RMM) tools—Pulseway and MeshAgent—hosted on attacker-controlled Google Cloud Storage and AWS S3 buckets, respectively. MeshAgent was concealed by setting the Windows Registry value `SystemComponent=1` to hide it from the Programs and Features list. The attacker then used DLL side-loading via malicious Java-named DLLs to beacon to attacker-controlled infrastructure.
Mitigation and Recommendations
To defend against such sophisticated attacks, organizations should implement the following measures:
1. Apply Security Patches Promptly: Regularly update FortiGate devices to the latest firmware versions to address known vulnerabilities.
2. Restrict Administrative Access: Disable public management interface access or limit it to trusted IP addresses using local-in policies.
3. Monitor Network Activity: Review logs for indicators of compromise, such as unauthorized account creation or changes to firewall configurations.
4. Enhance Authentication Mechanisms: Implement strong, unique passwords and enable multi-factor authentication (MFA) for all administrative accounts.
5. Conduct Regular Security Audits: Periodically assess network configurations and access controls to identify and remediate potential vulnerabilities.
By proactively addressing these vulnerabilities and strengthening security protocols, organizations can mitigate the risk of unauthorized access and safeguard their critical assets.
Twitter Post:
🚨 FortiGate firewalls exploited in recent attacks, leading to network breaches and credential theft. Ensure your systems are patched and secure. #CyberSecurity #FortiGate #NetworkSecurity
Focus Key Phrase:
FortiGate firewalls exploited
Article X Post:
Hashtags:
Article Key Phrase:
Category: Security News
