FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials
Executive Summary
In early 2026, threat actors exploited vulnerabilities and weak credentials in FortiGate Next-Generation Firewall (NGFW) appliances to breach networks across healthcare, government, and managed service providers. By accessing these devices, attackers extracted configuration files containing service account credentials and network topology information, enabling unauthorized access to Active Directory environments and the enrollment of rogue workstations. The breaches were detected during lateral movement phases, preventing further escalation. (sentinelone.com)
This incident underscores the critical importance of securing network infrastructure devices, as their compromise can lead to significant data breaches and operational disruptions. The exploitation of such devices highlights the evolving tactics of threat actors targeting essential security appliances to gain deeper access into organizational networks. (sentinelone.com)
Why This Matters Now
The exploitation of FortiGate devices highlights the urgent need for organizations to secure network infrastructure, as attackers increasingly target security appliances to gain deeper access into networks. (sentinelone.com)
Attack Path Analysis
Attackers exploited vulnerabilities in FortiGate devices to gain unauthorized access, created new administrator accounts, and established unrestricted firewall policies. They extracted configuration files containing encrypted service account credentials, decrypted them, and authenticated to Active Directory, enrolling rogue workstations. Remote access tools and malware were deployed to exfiltrate sensitive data to external servers.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited vulnerabilities in FortiGate devices (CVE-2025-59718, CVE-2025-59719, CVE-2026-24858) to gain unauthorized access.
Related CVEs
CVE-2025-59718
CVSS 9.8An improper verification of cryptographic signature vulnerability in Fortinet FortiOS and FortiProxy allows an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.
Affected Products:
Fortinet FortiOS – 7.6.0 through 7.6.3, 7.4.0 through 7.4.8, 7.2.0 through 7.2.11, 7.0.0 through 7.0.17
Fortinet FortiProxy – 7.6.0 through 7.6.3, 7.4.0 through 7.4.10, 7.2.0 through 7.2.14, 7.0.0 through 7.0.21
Exploit Status:
exploited in the wildCVE-2025-59719
CVSS 9.8An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.
Affected Products:
Fortinet FortiWeb – 8.0.0, 7.6.0 through 7.6.4, 7.4.0 through 7.4.9
Exploit Status:
exploited in the wildCVE-2026-24858
CVSS 9.8An authentication bypass vulnerability in multiple Fortinet products may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts if FortiCloud SSO authentication is enabled.
Affected Products:
Fortinet FortiAnalyzer – 7.6.0 through 7.6.5, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, 7.0.0 through 7.0.15
Fortinet FortiManager – 7.6.0 through 7.6.5, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, 7.0.0 through 7.0.15
Fortinet FortiOS – 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.12, 7.0.0 through 7.0.18
Fortinet FortiProxy – 7.6.0 through 7.6.4, 7.4.0 through 7.4.12, 7.2.0 through 7.2.15, 7.0.0 through 7.0.22
Fortinet FortiWeb – 8.0.0 through 8.0.3, 7.6.0 through 7.6.6, 7.4.0 through 7.4.11
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Valid Accounts
Disable or Modify Network Device Firewall
Exploitation of Remote Services
Masquerading
Command and Scripting Interpreter: PowerShell
OS Credential Dumping
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA Zero Trust Maturity Model 2.0 – Identity and Access Management
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
HIPAA – Risk Analysis
Control ID: 164.308(a)(1)(ii)(A)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Health Care / Life Sciences
FortiGate exploits targeting healthcare expose AD credentials, enabling lateral movement through patient systems, violating HIPAA compliance requirements and compromising critical medical infrastructure.
Government Administration
Network infrastructure compromises via FortiGate vulnerabilities expose government service accounts, enabling unauthorized access to classified systems and sensitive citizen data through credential harvesting.
Information Technology/IT
Managed service providers face multi-tenant exposure through FortiGate breaches, where compromised LDAP credentials enable attackers to pivot across client environments and deploy malware.
Computer/Network Security
Security infrastructure vendors must address FortiGate exploitation vectors including CVE-2025-59718, implementing zero trust segmentation and encrypted traffic controls to prevent credential extraction attacks.
Sources
- FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentialshttps://thehackernews.com/2026/03/fortigate-devices-exploited-to-breach.htmlVerified
- FortiGate Edge Intrusions | Stolen Service Accounts Lead to Rogue Workstations and Deep AD Compromisehttps://www.sentinelone.com/blog/fortigate-edge-intrusions/Verified
- Fortinet Confirms New Zero-Day Exploitationhttps://www.securityweek.com/fortinet-confirms-new-zero-day-exploitation/Verified
- 10,000+ Fortinet Firewalls Still Exposed to 5-year Old MFA Bypass Vulnerabilityhttps://cybersecuritynews.com/fortinet-firewalls-exposed/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to exploit vulnerabilities, escalate privileges, move laterally, establish command and control, and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit vulnerabilities in FortiGate devices may have been limited by enforcing strict segmentation and identity-aware policies.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges and modify firewall policies would likely have been constrained by enforcing least-privilege access controls.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the network may have been restricted by monitoring and controlling east-west traffic.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish and maintain command and control channels would likely have been constrained by continuous monitoring and control.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts may have been limited by enforcing strict egress policies and monitoring outbound traffic.
The potential for further credential cracking and unauthorized access would likely have been reduced by limiting the attacker's ability to move laterally and escalate privileges.
Impact at a Glance
Affected Business Functions
- Network Security Operations
- User Authentication Services
- Directory Services
- Remote Access Management
Estimated downtime: 3 days
Estimated loss: $50,000
Service account credentials and network topology information
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and prevent unauthorized lateral movement.
- • Deploy East-West Traffic Security controls to monitor and restrict internal traffic, mitigating lateral movement risks.
- • Utilize Multicloud Visibility & Control solutions to detect and respond to anomalous activities across cloud environments.
- • Apply Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.
- • Regularly update and patch FortiGate devices to address known vulnerabilities and reduce the attack surface.
