In early 2026, a series of sophisticated cyber intrusions targeted FortiGate Next-Generation Firewalls (NGFWs), enabling attackers to establish persistent access within enterprise networks. These incidents, intercepted during the lateral movement phase, underscore the critical importance of timely vulnerability management and robust security practices.
Exploited Vulnerabilities
The attack wave exploited three high-severity vulnerabilities in Fortinet’s products:
1. CVE-2025-59718 and CVE-2025-59719: Both vulnerabilities, with a CVSS score of 9.8, stem from improper verification of cryptographic signatures (CWE-347). They allow unauthenticated attackers to send crafted SAML tokens, granting administrative access to FortiGate devices without valid credentials. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-59718 to its Known Exploited Vulnerabilities catalog, setting a remediation deadline of January 23, 2026.
2. CVE-2026-24858: This zero-day vulnerability, actively exploited in January 2026, enables attackers to log into victim FortiGate devices using their own FortiCloud accounts. Fortinet temporarily suspended FortiCloud Single Sign-On (SSO) on January 26, 2026, and issued firmware patches requiring customers to upgrade before restoring SSO functionality.
Additionally, lower-skilled actors have been scanning for open FortiGate instances and attempting logins using weak or default credentials, reducing the technical barrier for initial access.
Attack Methodology
Once inside the network, attackers executed the `show full-configuration` command to extract the full FortiGate configuration file. Due to FortiOS’s reversible encryption scheme, adversaries decrypted embedded service account credentials, particularly those for LDAP and Active Directory (AD), facilitating further network penetration.
Incident Analyses
Incident 1: IAB Foothold and Rogue Domain Workstations
In late November 2025, an intrusion began and remained undetected until February 2026, resulting in a dwell time of approximately two months. The attacker created a local FortiGate admin account named support and added four permissive firewall policies, enabling unrestricted traffic across all network zones. This low activity volume suggests an Initial Access Broker (IAB) establishing and verifying access before transferring it to another party.
In February 2026, the attacker authenticated to Active Directory using the decrypted `fortidcagent` service account credentials from IP address 193.24.211[.]61. They exploited the `mS-DS-MachineAccountQuota` attribute to join two rogue workstations—WIN-X8WRBOSK0OF and WIN-YRSXLEONJY2—to the corporate domain. Password spraying originating from the FortiGate appliance IP, combined with artifacts linked to SoftPerfect Network Scanner, triggered security alerts, ultimately halting further lateral movement.
Incident 2: RMM Deployment and NTDS Exfiltration
In late January 2026, an attacker created a local admin account named ssl-admin on the compromised FortiGate device. Within 10 minutes, they logged into multiple internal servers using domain administrator credentials harvested from the decrypted configuration file.
The attacker staged files in `C:\ProgramData\USOShared` and deployed two Remote Monitoring and Management (RMM) tools—Pulseway and MeshAgent—hosted on attacker-controlled Google Cloud Storage and AWS S3 buckets, respectively. MeshAgent was concealed by setting the Windows Registry value `SystemComponent=1` to hide it from the Programs and Features list. The attacker then used DLL side-loading via malicious Java-named DLLs to beacon to attacker-controlled infrastructure.
Mitigation Strategies
To defend against such sophisticated attacks, organizations should implement the following measures:
1. Patch Management: Regularly update FortiGate devices to the latest firmware versions to address known vulnerabilities.
2. Credential Management: Enforce strong, unique passwords for all accounts and disable default credentials.
3. Network Segmentation: Implement strict network segmentation to limit lateral movement opportunities for attackers.
4. Monitoring and Detection: Deploy advanced monitoring tools to detect unusual activities, such as unauthorized account creations or unexpected network traffic patterns.
5. Incident Response Planning: Develop and regularly update incident response plans to ensure swift action when a breach is detected.
By proactively addressing these vulnerabilities and strengthening security postures, organizations can significantly reduce the risk of unauthorized access and potential data breaches.
Twitter Post:
🚨 FortiGate Firewalls exploited in recent attacks! Ensure your devices are updated and credentials secured. #CyberSecurity #FortiGate #NetworkSecurity #DataBreach
Focus Key Phrase:
FortiGate Firewalls Exploited
Article X Post:
Hashtags:
Article Key Phrase:
Category: Security News
