A series of intrusions in early 2026 in which threat actors compromised FortiGate Next-Generation Firewalls (NGFW) to establish persistent footholds within enterprise environments. Each case was intercepted during the lateral movement phase before the attackers could fully achieve their objectives.

The attack wave uncovered by SentinelOne closely tracks three high-severity Fortinet vulnerabilities disclosed between December 2025 and February 2026.

CVE-2025-59718 and CVE-2025-59719 (CVSS: 9.8), both rooted in improper verification of cryptographic signatures (CWE-347), allow an unauthenticated attacker to send a crafted SAML token and gain administrative access to FortiGate devices without valid credentials. CISA added CVE-2025-59718 to its Known Exploited Vulnerabilities catalog with a remediation deadline of January 23, 2026.

A third flaw, CVE-2026-24858, emerged as a zero-day actively exploited in January 2026, allowing attackers to log into victim FortiGate devices using their own FortiCloud account a distinct attack path confirmed as a net-new vulnerability rather than a patch bypass.

Fortinet temporarily suspended FortiCloud SSO on January 26, 2026, and issued firmware patches requiring customers to upgrade before SSO functionality would be restored.

Beyond weaponized exploits, researchers also noted that lower-skilled actors are scanning for open FortiGate instances and attempting logins using weak or default credentials, lowering the technical bar for initial access.

Configuration Files Stripped for Credentials

Once inside, attackers executed the show full-configuration command to extract the full FortiGate configuration file. Because FortiOS uses a reversible encryption scheme for these files, adversaries were able to decrypt embedded service account credentials, particularly LDAP and Active Directory (AD) accounts, and pivot directly into the internal network.

Incident 1: IAB Foothold and Rogue Domain Workstations

In the first investigated incident, the compromise likely began in late November 2025 and went undetected through February 2026, a dwell time of approximately two months.

After gaining access, the threat actor created a local FortiGate admin account named “support” and added four permissive firewall policies enabling unrestricted traffic across all network zones.

The low activity volume during this period is consistent with an Initial Access Broker (IAB) establishing and verifying access before transferring it to another buyer.

In February 2026, the attacker authenticated to Active Directory using the decrypted fortidcagent service account credentials from IP address 193.24.211[.]61, then exploited the mS-DS-MachineAccountQuota attribute to join two rogue workstations — WIN-X8WRBOSK0OF and WIN-YRSXLEONJY2 to the corporate domain.

Password spraying originating from the FortiGate appliance IP, combined with artifacts linked to SoftPerfect Network Scanner, triggered security alerts and ultimately halted further lateral movement.

Incident 2: RMM Deployment and NTDS Exfiltration

In the second incident, investigated in late January 2026, the attacker created a local admin account named “ssl-admin” on the compromised FortiGate device and, within 10 minutes, logged into multiple internal servers using domain administrator credentials harvested from the decrypted configuration file.

The actor staged files in C:ProgramDataUSOShared and deployed two Remote Monitoring and Management (RMM) tools — Pulseway and MeshAgent — hosted on attacker-controlled Google Cloud Storage and AWS S3 buckets, respectively.

MeshAgent was concealed by setting the Windows Registry value SystemComponent=1 to hide it from the Programs and Features list. The attacker then used DLL side-loading via malicious Java-named DLLs to beacon to attacker-controlled domains ndibstersoft[.]com and neremedysoft[.]com.

To complete the attack chain, the threat actor created a Volume Shadow Copy of the primary domain controller and extracted the NTDS.dit file and SYSTEM registry hive using makecab, then exfiltrated the compressed archives via a connection to a Cloudflare-owned IP (172.67.196[.]232) before deleting the local copies.

Mitigations

SentinelOne highlighted that insufficient log retention severely hindered both investigations, preventing precise identification of the initial access vector. Organizations should implement a minimum of 14 days of FortiGate log retention, with 60 to 90 days strongly preferred. Key defensive actions include:

• Immediately apply all available Fortinet firmware patches addressing CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858.
• Rotate all LDAP and AD credentials associated with FortiGate appliances following any suspected compromise.
• Enforce strong administrative access controls and eliminate default or weak credentials on network edge devices.
• Monitor for unauthorized local admin account creation on FortiGate appliances (names such as “support,” “ssl-admin,” “helpdesk”).
• Audit mS-DS-MachineAccountQuota settings to restrict unauthorized workstation joins to the domain.
• Ensure EDR telemetry from servers adjacent to the NGFW is actively monitored, as the appliances themselves cannot host endpoint detection tools.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.