INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
FortiGate Device Exploitation Breaches Networks
| 2026-03-10 19:02 HIGH HIGHExecutive Summary AI-generated
The threat landscape is increasingly complex, with attackers exploiting vulnerabilities and weak credentials in FortiGate devices to breach networks and steal sensitive information. This has led to a surge in incidents where these appliances have been compromised to establish a foothold into the targeted environment. Organizations should take immediate action to ensure they have at least 14 days of log retention on NGFW appliances like FortiGate, as insufficient retention can hinder investigations. Furthermore, implementing strong administrative access controls and patching software vulnerabilities are crucial in preventing exploitation by threat actors.
Technical Mitigations AI-generated
* Implement strong administrative controls: Enforce strict access control measures, such as multi-factor authentication and role-based access control, to limit the damage caused by unauthorized access.
* Keep software patched: Regularly update FortiGate devices with the latest security patches to prevent exploitation of known vulnerabilities.
* Maintain adequate log retention: Ensure that logs are retained for at least 14-90 days to detect anomalies, track unauthorized account creation, and monitor for configuration access.
* Use strong encryption: Implement end-to-end encryption on sensitive data stored in FortiGate devices or cloud storage services to protect against lateral movement and malware execution.
* Monitor network activity: Regularly review network traffic patterns to identify potential security threats and respond quickly to neutralize them.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2025-59718CVE-2025-59718
CVE-2026-24858CVE-2026-24858
CVE-2025-59719CVE-2025-59719
Target & Sectors
Global Scope
governmentgovernment
defensedefense
healthcarehealthcare
Incident Timeline
November 2025
FortiGate devices were exploited to breach a device in November 2025.
Click on any entity below to view its context and source!
infrastructure
Fortigate
In one incident, the attackers are said to have breached a FortiGate appliance in November 2025 to create a new local administrator account named "support" and used it to set up four new firewall policies that allowed the account to traverse all zones without any restrictions.
late January 2026
MeshAgent remote access tools were deployed by attackers on FortiGate devices.
Click on any entity below to view its context and source!
organisation
MeshAgent
In another case investigated in late January 2026, attackers swiftly moved from firewall access to deploying remote access tools like Pulseway and MeshAgent.
February 2026
Threat actors used a FortiGate device to access sensitive network information by exploiting the configuration file containing encrypted service account LDAP credentials.
Mar 10, 2026
Threat actors exploited vulnerabilities in FortiGate devices to gain unauthorized access to sensitive network information.
2026-03-10
Attackers exploited FortiGate devices to gain initial access and steal configuration data containing service account credentials.
Click on any entity below to view its context and source!
organisation
SentinelOne
The activity involves the exploitation of recently disclosed security vulnerabilities or weak credentials to extract configuration files containing service account credentials and network topology information, SentinelOne said in a report published today.
SentinelOne researchers warn that attackers are exploiting vulnerabilities or weak credentials in FortiGate devices to gain initial access to corporate networks.
infrastructure
Fortigate
FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials.
Ravie Lakshmanan
Mar 10, 2026
Network Security / Vulnerability
Cybersecurity researchers are calling attention to a new campaign where threat actors are abusing FortiGate Next-Generation Firewall (NGFW) appliances as entry points to breach victim networks.
"FortiGate network appliances have considerable access to the environments they were installed to protect," security researchers Alex Delamotte, Stephen Bromfield, Mary Braden Murphy, and Amey Patne
said
.
However, the cybersecurity company noted that such access could be exploited by attackers who break into FortiGate devices through known vulnerabilities (e.g.,
CVE-2025-59718, CVE-2025-59719
, and
CVE-2026-24858
) or
misconfigurations
.
Attackers exploit FortiGate devices to access sensitive network information.
Attackers exploit FortiGate devices to access sensitive network information
Attackers are exploiting FortiGate devices to breach networks and steal configuration data containing service account credentials and network details.
SentinelOne researchers warn that attackers are exploiting vulnerabilities or weak credentials in FortiGate devices to gain initial access to corporate networks.
FortiGate appliances, often integrated with AD and LDAP, allow role mapping and fast response for network alerts.
Next-generation firewalls (NGFWs), like FortiGate, are widely used because they combine strong network security with features like Active Directory integration.
“Organizations should consider that FortiGate and other edge devices typically do not permit security software to be installed on the appliance, such as endpoint detection and response (EDR) tools.
“Further, both of these investigations were hindered by insufficient FortiGate log retention.
Organizations should ensure they have at least 14 days of log retention on NGFW appliances like FortiGate, though 60-90 days is much better when possible.”
Follow me on Twitter:
@securityaffairs
and
Facebook
and
Mastodon
Pierluigi Paganini
(
SecurityAffairs
– hacking, Fortinet)
organisation
FortiGate Devices Exploited
FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials.
organisation
Breach Networks and Steal Service Account
FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials.
organisation
FortiGate Next-Generation Firewall
Ravie Lakshmanan
Mar 10, 2026
Network Security / Vulnerability
Cybersecurity researchers are calling attention to a new campaign where threat actors are abusing FortiGate Next-Generation Firewall (NGFW) appliances as entry points to breach victim networks.
organisation
NGFW
Ravie Lakshmanan
Mar 10, 2026
Network Security / Vulnerability
Cybersecurity researchers are calling attention to a new campaign where threat actors are abusing FortiGate Next-Generation Firewall (NGFW) appliances as entry points to breach victim networks.
organisation
CVE-2025-59718
However, the cybersecurity company noted that such access could be exploited by attackers who break into FortiGate devices through known vulnerabilities (e.g.,
CVE-2025-59718, CVE-2025-59719
, and
CVE-2026-24858
) or
misconfigurations
.
Threat actors have abused this access by targeting
CVE-2025-59718
and
CVE-2025-59719
, exploiting SSO signature validation flaws to gain unauthenticated admin access.
organisation
FortiGate
However, the cybersecurity company noted that such access could be exploited by attackers who break into FortiGate devices through known vulnerabilities (e.g.,
CVE-2025-59718, CVE-2025-59719
, and
CVE-2026-24858
) or
misconfigurations
.
SentinelOne researchers warn that attackers are exploiting vulnerabilities or weak credentials in FortiGate devices to gain initial access to corporate networks.
organisation
CVE-2025
However, the cybersecurity company noted that such access could be exploited by attackers who break into FortiGate devices through known vulnerabilities (e.g.,
CVE-2025-59718, CVE-2025-59719
, and
CVE-2026-24858
) or
misconfigurations
.
organisation
Active Directory
Next-generation firewalls (NGFWs), like FortiGate, are widely used because they combine strong network security with features like Active Directory integration.
organisation
EDR
“Organizations should consider that FortiGate and other edge devices typically do not permit security software to be installed on the appliance, such as endpoint detection and response (EDR) tools.
organisation
SecurityAffairs
Organizations should ensure they have at least 14 days of log retention on NGFW appliances like FortiGate, though 60-90 days is much better when possible.”
Follow me on Twitter:
@securityaffairs
and
Facebook
and
Mastodon
Pierluigi Paganini
(
SecurityAffairs
– hacking, Fortinet)
organisation
CVE-2025-59719
Threat actors have abused this access by targeting
CVE-2025-59718
and
CVE-2025-59719
, exploiting SSO signature validation flaws to gain unauthenticated admin access.
organisation
SSO
Threat actors have abused this access by targeting
CVE-2025-59718
and
CVE-2025-59719
, exploiting SSO signature validation flaws to gain unauthenticated admin access.
organisation
FortiCloud SSO
CVE-2026-24858
allowed attackers to log in through FortiCloud SSO.
organisation
Lightweight Directory Access Protocol
"In many configurations, this includes service accounts which are connected to the authentication infrastructure, such as Active Directory (AD) and Lightweight Directory Access Protocol (LDAP).
organisation
Directory
"
"This setup can enable the appliance to map roles to specific users by fetching attributes about the connection that’s being analyzed and correlating with the Directory information, which is useful in cases where role-based policies are set or for increasing response speed for network security alerts detected by the device."
organisation
IAB
The threat actor then kept periodically checking to ensure the device was accessible, an action consistent with an initial access broker (IAB) establishing a foothold and selling it to other criminal actors for monetary gain.
organisation
MeshAgent
In another incident, attackers created admin accounts, deployed Pulseway and MeshAgent RMM tools, and used PowerShell and DLL side-loading to execute malware.
organisation
DLL
In another incident, attackers created admin accounts, deployed Pulseway and MeshAgent RMM tools, and used PowerShell and DLL side-loading to execute malware.
The Java malware, launched via DLL side-loading, was used to exfiltrate the contents of the NTDS.dit file and SYSTEM registry hive to an external server ("172.67.196[.]232") over port 443.
organisation
Pulseway
In another incident, attackers created admin accounts, deployed Pulseway and MeshAgent RMM tools, and used PowerShell and DLL side-loading to execute malware.
organisation
Sentinel One
In one case analyzed by Sentinel One, attackers created local admin accounts, modified firewall policies, and periodically checked access before extracting configuration files containing encrypted LDAP service account credentials.
organisation
PsExec
They staged malicious payloads on cloud storage (Google Cloud, AWS S3), ran tasks to maintain persistence, and used PsExec to move laterally.
early 2026
Threat actors exploited FortiGate devices to gain access to sensitive network information.
Click on any entity below to view its context and source!
infrastructure
Fortigate
“Throughout early 2026, SentinelOne’s
®
Digital Forensics & Incident Response (DFIR) team has responded to several incidents where FortiGate Next-Generation Firewall (NGFW) appliances have been compromised to establish a foothold into the targeted environment.”
organisation
FortiGate Next-Generation Firewall
“Throughout early 2026, SentinelOne’s
®
Digital Forensics & Incident Response (DFIR) team has responded to several incidents where FortiGate Next-Generation Firewall (NGFW) appliances have been compromised to establish a foothold into the targeted environment.”
organisation
NGFW
“Throughout early 2026, SentinelOne’s
®
Digital Forensics & Incident Response (DFIR) team has responded to several incidents where FortiGate Next-Generation Firewall (NGFW) appliances have been compromised to establish a foothold into the targeted environment.”
organisation
Digital Forensics & Incident Response
“Throughout early 2026, SentinelOne’s
®
Digital Forensics & Incident Response (DFIR) team has responded to several incidents where FortiGate Next-Generation Firewall (NGFW) appliances have been compromised to establish a foothold into the targeted environment.”
Tactical Metrics
Metrics
infrastructure
Fortigate
Affected Product
Click for context!
FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials.
Ravie Lakshmanan
Mar 10, 2026
Network Security / Vulnerability
Cybersecurity researchers are calling attention to a new campaign where threat actors are abusing FortiGate Next-Generation Firewall (NGFW) appliances as entry points to breach victim networks.
"FortiGate network appliances have considerable access to the environments they were installed to protect," security researchers Alex Delamotte, Stephen Bromfield, Mary Braden Murphy, and Amey Patne
said
.
However, the cybersecurity company noted that such access could be exploited by attackers who break into FortiGate devices through known vulnerabilities (e.g.,
CVE-2025-59718, CVE-2025-59719
, and
CVE-2026-24858
) or
misconfigurations
.
In one incident, the attackers are said to have breached a FortiGate appliance in November 2025 to create a new local administrator account named "support" and used it to set up four new firewall policies that allowed the account to traverse all zones without any restrictions.
Attackers exploit FortiGate devices to access sensitive network information.
Attackers exploit FortiGate devices to access sensitive network information
Attackers are exploiting FortiGate devices to breach networks and steal configuration data containing service account credentials and network details.
SentinelOne researchers warn that attackers are exploiting vulnerabilities or weak credentials in FortiGate devices to gain initial access to corporate networks.
“Throughout early 2026, SentinelOne’s
®
Digital Forensics & Incident Response (DFIR) team has responded to several incidents where FortiGate Next-Generation Firewall (NGFW) appliances have been compromised to establish a foothold into the targeted environment.”
FortiGate appliances, often integrated with AD and LDAP, allow role mapping and fast response for network alerts.
Next-generation firewalls (NGFWs), like FortiGate, are widely used because they combine strong network security with features like Active Directory integration.
“Organizations should consider that FortiGate and other edge devices typically do not permit security software to be installed on the appliance, such as endpoint detection and response (EDR) tools.
“Further, both of these investigations were hindered by insufficient FortiGate log retention.
Organizations should ensure they have at least 14 days of log retention on NGFW appliances like FortiGate, though 60-90 days is much better when possible.”
Follow me on Twitter:
@securityaffairs
and
Facebook
and
Mastodon
Pierluigi Paganini
(
SecurityAffairs
– hacking, Fortinet)
Intelligence Sources
The Hacker News
2026-03-10
Security Affairs
2026-03-10
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T10:37
Comprehensive Tactical Telemetry
Highly Correlated Entities
24x
organisation
Identified Entity
FortiGate Devices Exploited
entity
9x
timeline
Temporal Reference
Mar 10, 2026
date
3x
industry
Targeted Sector
Healthcare
sector
3x
tactic
Cyber Operation Type
Lateral Movement
tactic
3x
tactic
MITRE ATT&CK Technique
T1589.001 - Credentials
technique
3x
vulnerability
Exploited CVE
CVE-2025-59718
cve
2x
general metric
Mar
10
mar
Contextual Telemetry
Context Block
2 METRICS
infrastructure
Affected Product
Fortigate
software
general metric
Port
443
port
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.