Security researchers have uncovered a series of cyber intrusions in early 2026 in which threat actors exploited vulnerabilities in FortiGate Next-Generation Firewall (NGFW) devices to establish persistent access inside enterprise networks. However, defenders detected the attacks during the lateral movement stage, preventing the adversaries from fully achieving their objectives. The investigation highlights how firewall vulnerabilities, when combined with weak configurations and credential exposure, can become a powerful entry point for attackers targeting corporate environments.
The intrusion campaign closely aligns with three critical vulnerabilities affecting Fortinet products that were disclosed between December 2025 and February 2026. The most severe issues include CVE-2025-59718 and CVE-2025-59719, both carrying a CVSS score of 9.8. These flaws stem from improper cryptographic signature verification, which allows attackers to send specially crafted SAML tokens to bypass authentication. As a result, malicious actors can gain administrative access to vulnerable FortiGate devices without valid credentials. Due to active exploitation risks, the Cybersecurity and Infrastructure Security Agency added CVE-2025-59718 to its Known Exploited Vulnerabilities catalog, requiring remediation by January 23, 2026.
Cyber Technology Insights: Terra Security Uncovers Critical AI Vulnerabilities, Launches Continuous Testing Module
Shortly afterward, researchers identified another serious flaw, CVE-2026-24858, which emerged as a zero-day vulnerability actively exploited in January 2026. Unlike the earlier vulnerabilities, this flaw allowed attackers to log into compromised FortiGate systems using their own **FortiCloud account. Because this represented a completely new attack path rather than a patch bypass, Fortinet temporarily suspended FortiCloud single sign-on functionality on January 26, 2026. The company later released firmware updates and required customers to upgrade before restoring SSO capabilities.
Beyond these targeted exploits, researchers also observed a surge of opportunistic activity from lower-skilled threat actors. These attackers scanned the internet for exposed FortiGate devices and attempted logins using weak or default credentials. Consequently, even organizations that had not yet been targeted directly still faced elevated risk due to poor authentication practices.
Once attackers gained access to a FortiGate device, they executed the show full-configuration command to extract the firewall’s configuration file. Because **FortiOS uses a reversible encryption mechanism, attackers were able to decrypt sensitive information contained in the file. This included service account credentials, particularly those associated with **Active Directory and LDAP integrations. With these credentials in hand, attackers could pivot deeper into internal networks and escalate their privileges.
In one investigated incident, the compromise began in late November 2025 and remained undetected until February 2026, giving attackers roughly two months of dwell time. During this period, the threat actor created a new FortiGate administrator account named “support” and added permissive firewall rules that allowed unrestricted traffic across network zones. Researchers believe this activity aligns with the behavior of an Initial Access Broker, who establishes and validates network access before selling it to other cybercriminal groups.
In a separate incident discovered in January 2026, attackers rapidly escalated their access after creating an administrative account called “ssl-admin.” Within minutes, they logged into multiple internal servers using domain administrator credentials extracted from the decrypted firewall configuration. They then deployed remote management tools such as Pulseway and MeshAgent, enabling persistent remote access to compromised systems.
Cyber Technology Insights: Apiiro Launches Guardian Agent to Enable Zero Vulnerabilities in AI-Generated Code
To avoid detection, the attackers concealed MeshAgent by modifying Windows registry settings so that it would not appear in system program lists. They also used DLL side-loading techniques and malicious libraries to communicate with attacker-controlled domains. Ultimately, the threat actor created a Volume Shadow Copy of a domain controller and extracted the NTDS.dit database along with the SYSTEM registry hive both of which contain critical authentication data for the domain.
The attackers compressed these files and exfiltrated them through a connection to an IP address associated with **Cloudflare infrastructure before deleting local evidence of the operation.
Security researchers emphasized that limited log retention significantly complicated both investigations. Without adequate logging, defenders struggled to determine the exact initial access vector. Consequently, organizations are strongly encouraged to maintain at least 14 days of firewall log retention, although a period of 60 to 90 days is considered best practice.
To mitigate similar threats, experts recommend immediately applying firmware updates that address the known vulnerabilities, rotating all directory service credentials linked to FortiGate appliances, and eliminating weak or default passwords on edge devices. Additionally, organizations should monitor for suspicious administrator account creation on firewall systems and review domain configuration settings that allow unauthorized machines to join corporate networks.
As firewall appliances increasingly become high-value attack targets, maintaining strong configuration hygiene and proactive monitoring will be essential to prevent similar intrusion campaigns in the future.
Cyber Technology Insights: Apiiro Launches AI-SAST to Detect, Validate, and Fix Code Vulnerabilities Using Code-to-Runtime Context
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
