FortiGate Firewalls Exploited in Wave of Attacks to Breach Networks and Steal Credentials
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A series of intrusions in early 2026 in which threat actors compromised FortiGate Next-Generation Firewalls (NGFW) to establish persistent footholds within enterprise environments. Each case was intercepted during the lateral movement phase before the attackers could fully achieve their objectives.<\/p>\n
The attack wave uncovered by SentinelOne closely tracks three high-severity Fortinet vulnerabilities disclosed between December 2025 and February 2026.<\/p>\n
CVE-2025-59718<\/a> and CVE-2025-59719<\/a> (CVSS: 9.8), both rooted in improper verification of cryptographic signatures (CWE-347), allow an unauthenticated attacker to send a crafted SAML token and gain administrative access to FortiGate devices without valid credentials. CISA added CVE-2025-59718 to its Known Exploited Vulnerabilities catalog with a remediation deadline of January 23, 2026.<\/p>\n A third flaw, CVE-2026-24858<\/a>, emerged as a zero-day actively exploited in January 2026, allowing attackers to log into victim FortiGate devices using their own FortiCloud account a distinct attack path confirmed as a net-new vulnerability rather than a patch bypass.<\/p>\n Fortinet temporarily suspended FortiCloud SSO on January 26, 2026, and issued firmware patches requiring customers to upgrade before SSO functionality would be restored.<\/p>\n Beyond weaponized exploits, researchers also noted that lower-skilled actors are scanning for open FortiGate instances and attempting logins using weak or default credentials, lowering the technical bar for initial access.<\/p>\n Once inside, attackers executed the In the first investigated incident, the compromise likely began in late November 2025 and went undetected through February 2026, a dwell time of approximately two months.<\/p>\n After gaining access, the threat actor created a local FortiGate admin account named \u201csupport\u201d and added four permissive firewall policies enabling unrestricted traffic across all network zones.<\/p>\n The low activity volume during this period is consistent with an Initial Access Broker (IAB) establishing and verifying access before transferring it to another buyer.<\/p>\n In February 2026, the attacker authenticated to Active Directory using the decrypted Password spraying originating from the FortiGate appliance IP, combined with artifacts linked to SoftPerfect Network Scanner, triggered security alerts and ultimately halted further lateral movement.<\/p>\n In the second incident, investigated in late January 2026, the attacker created a local admin account named \u201cssl-admin\u201d on the compromised FortiGate device and, within 10 minutes, logged into multiple internal servers using domain administrator credentials harvested from the decrypted configuration file.<\/p>\n The actor staged files in MeshAgent was concealed by setting the Windows Registry value To complete the attack chain, the threat actor created a Volume Shadow Copy of the primary domain controller and extracted the NTDS.dit file and SYSTEM registry hive using SentinelOne highlighted<\/a> that insufficient log retention severely hindered both investigations, preventing precise identification of the initial access vector. Organizations should implement a minimum of 14 days of FortiGate log retention, with 60 to 90 days strongly preferred. Key defensive actions include:<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post FortiGate Firewalls Exploited in Wave of Attacks to Breach Networks and Steal Credentials<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nConfiguration Files Stripped for Credentials<\/strong><\/h2>\n
show full-configuration<\/code> command to extract the full FortiGate configuration file. Because FortiOS uses a reversible encryption scheme for these files, adversaries were able to decrypt embedded service account credentials, particularly LDAP and Active Directory (AD) accounts, and pivot directly into the internal network.<\/p>\nIncident 1: IAB Foothold and Rogue Domain Workstations<\/strong><\/h3>\n
fortidcagent<\/code> service account credentials from IP address 193.24.211[.]61, then exploited the mS-DS-MachineAccountQuota<\/code> attribute to join two rogue workstations \u2014 WIN-X8WRBOSK0OF and WIN-YRSXLEONJY2 to the corporate domain.<\/p>\nIncident 2: RMM Deployment and NTDS Exfiltration<\/strong><\/h3>\n
C:ProgramDataUSOShared<\/code> and deployed two Remote Monitoring and Management (RMM) tools \u2014 Pulseway and MeshAgent \u2014 hosted on attacker-controlled Google Cloud Storage and AWS S3 buckets, respectively.<\/p>\nSystemComponent=1<\/code> to hide it from the Programs and Features list. The attacker then used DLL side-loading via malicious Java-named DLLs to beacon to attacker-controlled domains ndibstersoft[.]com<\/code> and neremedysoft[.]com<\/code>.<\/p>\nmakecab<\/code>, then exfiltrated the compressed archives via a connection to a Cloudflare-owned IP (172.67.196[.]232) before deleting the local copies.<\/p>\nMitigations<\/strong><\/h2>\n
\n
mS-DS-MachineAccountQuota<\/code> settings to restrict unauthorized workstation joins to the domain.<\/li>\n