Ethical Hacking News
FortiGate devices have been exploited by threat actors to access sensitive network information, highlighting a growing concern for network security. Organizations must take immediate action to secure their FortiGate devices by enforcing strong administrative controls and maintaining adequate log retention. This vulnerability in FortiGate devices is a wake-up call for organizations to prioritize their network security and implement robust measures to prevent exploitation of these vulnerabilities.
Threat actors are exploiting vulnerabilities and weak credentials in FortiGate devices to breach networks. The campaign targets sectors such as healthcare, government agencies, and managed service providers. Attackers use custom malware and exploit known vulnerabilities like CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858. Threat actors gain unauthenticated admin access by targeting vulnerabilities in FortiGate NGFW appliances. Attackers can extract configuration files containing sensitive network information.
In a recent security alert, SentinelOne researchers revealed that threat actors are exploiting vulnerabilities and weak credentials in FortiGate devices to breach networks and steal sensitive information. This campaign appears to target sectors such as healthcare, government agencies, and managed service providers, with attackers using custom malware and exploiting known vulnerabilities like CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858.
The FortiGate Next-Generation Firewall (NGFW) appliances, often integrated with Active Directory and LDAP, provide role mapping and fast response for network alerts. However, threat actors have abused this access by targeting these vulnerabilities to gain unauthenticated admin access, allowing them to extract configuration files containing service accounts and sensitive network information.
One case analyzed by SentinelOne showed that attackers created local admin accounts, modified firewall policies, and periodically checked access before extracting configuration files containing encrypted LDAP service account credentials. These were decrypted to authenticate to Active Directory and enroll rogue workstations, allowing deeper network access.
In another incident, attackers created admin accounts, deployed Pulseway and MeshAgent RMM tools, and used PowerShell and DLL side-loading to execute malware. They staged malicious payloads on cloud storage (Google Cloud, AWS S3), ran tasks to maintain persistence, and used PsExec to move laterally.
The attackers made a backup of the main domain controller, took the NTDS.dit file and SYSTEM registry data, compressed them, and uploaded them to their servers. After the incident was contained, no further misuse of accounts was seen.
This vulnerability in FortiGate devices highlights the growing concern for network security, particularly with the increasing use of next-generation firewalls (NGFWs) that combine strong network security with features like Active Directory integration. The exploitation of these devices can have severe consequences, including the theft of sensitive information and the potential for lateral movement into a corporate network.
Organizations should take immediate action to secure their FortiGate devices by enforcing strong administrative controls, keeping software patched, and maintaining adequate log retention (at least 14-90 days). Logs should be sent to a SIEM system to detect anomalies, track unauthorized account creation, monitor for configuration access, spot malware or C2 traffic, preserve evidence, and enable automated responses to neutralize threats quickly.
Furthermore, both SentinelOne and Fortinet emphasize the importance of strong administrative access controls and software patching. Additionally, the lack of sufficient log retention on NGFW appliances like FortiGate can hinder investigations into security incidents.
As a result, it is essential for organizations to prioritize their network security by implementing robust measures to prevent exploitation of these vulnerabilities. This includes ensuring that all employees are aware of the risks associated with using vulnerable devices and taking steps to educate them on how to identify and report suspicious activity.
In conclusion, the recent discovery of FortiGate vulnerabilities highlights the importance of prioritizing network security and taking proactive measures to protect against potential threats. By enforcing strong administrative controls, keeping software patched, and maintaining adequate log retention, organizations can significantly reduce the risk of successful exploitation of these vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/FortiGate-Vulnerabilities-Exposed-A-Growing-Concern-for-Network-Security-ehn.shtml
https://securityaffairs.com/189241/security/attackers-exploit-fortigate-devices-to-access-sensitive-network-information.html
https://thehackernews.com/2026/03/fortigate-devices-exploited-to-breach.html
https://nvd.nist.gov/vuln/detail/CVE-2025-59718
https://www.cvedetails.com/cve/CVE-2025-59718/
https://nvd.nist.gov/vuln/detail/CVE-2025-59719
https://www.cvedetails.com/cve/CVE-2025-59719/
https://nvd.nist.gov/vuln/detail/CVE-2026-24858
https://www.cvedetails.com/cve/CVE-2026-24858/
Published: Tue Mar 10 16:53:07 2026 by llama3.2 3B Q4_K_M
