What sectors were targeted in these attacks?

The attacks primarily targeted healthcare, government, and managed service providers. ([sentinelone.com](https://www.sentinelone.com/blog/fortigate-edge-intrusions/?utm_source=openai))

FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials

Q: How did the attackers use the compromised FortiGate devices?

They extracted configuration files containing service account credentials and network topology information, enabling unauthorized access to Active Directory environments and the enrollment of rogue workstations. ([sentinelone.com](https://www.sentinelone.com/blog/fortigate-edge-intrusions/?utm_source=openai))

Recent attacks on FortiGate NGFW appliances have exposed critical vulnerabilities, leading to unauthorized access in healthcare, government, and managed service provider networks. ([sentinelone.com](https://www.sentinelone.com/blog/fortigate-edge-intrusions/?utm_source=openai))

Published: March 10, 2026

Share this on:

Executive Summary

In early 2026, threat actors exploited vulnerabilities and weak credentials in FortiGate Next-Generation Firewall (NGFW) appliances to breach networks across healthcare, government, and managed service providers. By accessing these devices, attackers extracted configuration files containing service account credentials and network topology information, enabling unauthorized access to Active Directory environments and the enrollment of rogue workstations. The breaches were detected during lateral movement phases, preventing further escalation. (sentinelone.com)

This incident underscores the critical importance of securing network infrastructure devices, as their compromise can lead to significant data breaches and operational disruptions. The exploitation of such devices highlights the evolving tactics of threat actors targeting essential security appliances to gain deeper access into organizational networks. (sentinelone.com)

Why This Matters Now

The exploitation of FortiGate devices highlights the urgent need for organizations to secure network infrastructure, as attackers increasingly target security appliances to gain deeper access into networks. (sentinelone.com)

Attack Path Analysis

Attackers exploited vulnerabilities in FortiGate devices to gain unauthorized access, created new administrator accounts, and established unrestricted firewall policies. They extracted configuration files containing encrypted service account credentials, decrypted them, and authenticated to Active Directory, enrolling rogue workstations. Remote access tools and malware were deployed to exfiltrate sensitive data to external servers.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

High

Command & Control

High

Exfiltration

High

Impact

Medium

Initial Compromise

Description

Attackers exploited vulnerabilities in FortiGate devices (CVE-2025-59718, CVE-2025-59719, CVE-2026-24858) to gain unauthorized access.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2025-59718
CVSS 9.8
An improper verification of cryptographic signature vulnerability in Fortinet FortiOS and FortiProxy allows an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.
Affected Products:
Fortinet FortiOS – 7.6.0 through 7.6.3, 7.4.0 through 7.4.8, 7.2.0 through 7.2.11, 7.0.0 through 7.0.17
Fortinet FortiProxy – 7.6.0 through 7.6.3, 7.4.0 through 7.4.10, 7.2.0 through 7.2.14, 7.0.0 through 7.0.21
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2025-59718 https://fortiguard.fortinet.com/psirt/FG-IR-25-647 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59718
CVE-2025-59719
CVSS 9.8
An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.
Affected Products:
Fortinet FortiWeb – 8.0.0, 7.6.0 through 7.6.4, 7.4.0 through 7.4.9
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2025-59719 https://fortiguard.fortinet.com/psirt/FG-IR-25-647
CVE-2026-24858
CVSS 9.8
An authentication bypass vulnerability in multiple Fortinet products may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts if FortiCloud SSO authentication is enabled.
Affected Products:
Fortinet FortiAnalyzer – 7.6.0 through 7.6.5, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, 7.0.0 through 7.0.15
Fortinet FortiManager – 7.6.0 through 7.6.5, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, 7.0.0 through 7.0.15
Fortinet FortiOS – 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.12, 7.0.0 through 7.0.18
Fortinet FortiProxy – 7.6.0 through 7.6.4, 7.4.0 through 7.4.12, 7.2.0 through 7.2.15, 7.0.0 through 7.0.22
Fortinet FortiWeb – 8.0.0 through 8.0.3, 7.6.0 through 7.6.6, 7.4.0 through 7.4.11
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2026-24858 https://fortiguard.fortinet.com/psirt/FG-IR-26-060 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24858

MITRE ATT&CK® Techniques

Initial Access

T1190

Exploit Public-Facing Application

Defense Evasion

T1078

Valid Accounts

Defense Evasion

T1562.013

Disable or Modify Network Device Firewall

Lateral Movement

T1210

Exploitation of Remote Services

Defense Evasion

T1036

Masquerading

Execution

T1059.001

Command and Scripting Interpreter: PowerShell

Credential Access

T1003

OS Credential Dumping

Exfiltration

T1041

Exfiltration Over C2 Channel

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities

Control ID: 6.2

The exploitation of known vulnerabilities in FortiGate devices indicates a failure to apply timely security patches, violating the requirement to protect systems from known vulnerabilities.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident suggests deficiencies in the organization's cybersecurity policy, particularly in managing and securing network infrastructure, as required by NYDFS regulations.

DORA – ICT Risk Management Framework

Control ID: Article 5

The breach highlights inadequate ICT risk management practices, contravening DORA's mandate for a comprehensive risk management framework to ensure operational resilience.

CISA Zero Trust Maturity Model 2.0 – Identity and Access Management

Control ID: Identity Pillar

The unauthorized creation of administrator accounts and misuse of service account credentials indicate weaknesses in identity and access management, undermining Zero Trust principles.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The exploitation of network devices and subsequent data exfiltration demonstrate insufficient cybersecurity risk management measures, as required by the NIS2 Directive.

HIPAA – Risk Analysis

Control ID: 164.308(a)(1)(ii)(A)

Given the targeting of healthcare environments, the incident reflects a failure to conduct accurate and thorough risk analyses, as mandated by HIPAA, potentially compromising protected health information.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Health Care / Life Sciences

FortiGate exploits targeting healthcare expose AD credentials, enabling lateral movement through patient systems, violating HIPAA compliance requirements and compromising critical medical infrastructure.

Government Administration

Network infrastructure compromises via FortiGate vulnerabilities expose government service accounts, enabling unauthorized access to classified systems and sensitive citizen data through credential harvesting.

Information Technology/IT

Managed service providers face multi-tenant exposure through FortiGate breaches, where compromised LDAP credentials enable attackers to pivot across client environments and deploy malware.

Computer/Network Security

Security infrastructure vendors must address FortiGate exploitation vectors including CVE-2025-59718, implementing zero trust segmentation and encrypted traffic controls to prevent credential extraction attacks.

Sources

FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentialshttps://thehackernews.com/2026/03/fortigate-devices-exploited-to-breach.html
Verified

FortiGate Edge Intrusions | Stolen Service Accounts Lead to Rogue Workstations and Deep AD Compromisehttps://www.sentinelone.com/blog/fortigate-edge-intrusions/

Verified

Fortinet Confirms New Zero-Day Exploitationhttps://www.securityweek.com/fortinet-confirms-new-zero-day-exploitation/

Verified

10,000+ Fortinet Firewalls Still Exposed to 5-year Old MFA Bypass Vulnerabilityhttps://cybersecuritynews.com/fortinet-firewalls-exposed/

Verified

Frequently Asked Questions

Attackers exploited known vulnerabilities such as CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858, as well as weak credentials, to gain unauthorized access to FortiGate devices. ([sentinelone.com](https://www.sentinelone.com/blog/fortigate-edge-intrusions/?utm_source=openai))

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to exploit vulnerabilities, escalate privileges, move laterally, establish command and control, and exfiltrate data by enforcing strict segmentation and identity-aware policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's ability to exploit vulnerabilities in FortiGate devices may have been limited by enforcing strict segmentation and identity-aware policies.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges and modify firewall policies would likely have been constrained by enforcing least-privilege access controls.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's lateral movement within the network may have been restricted by monitoring and controlling east-west traffic.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's ability to establish and maintain command and control channels would likely have been constrained by continuous monitoring and control.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's data exfiltration efforts may have been limited by enforcing strict egress policies and monitoring outbound traffic.

Impact (Mitigations)

The potential for further credential cracking and unauthorized access would likely have been reduced by limiting the attacker's ability to move laterally and escalate privileges.

Impact at a Glance

Affected Business Functions

Network Security Operations
User Authentication Services
Directory Services
Remote Access Management

Operational Disruption

Estimated downtime: 3 days

Financial Impact

Estimated loss: $50,000

Data Exposure

Service account credentials and network topology information

Recommended Actions

• Implement Zero Trust Segmentation to enforce least privilege access and prevent unauthorized lateral movement.
• Deploy East-West Traffic Security controls to monitor and restrict internal traffic, mitigating lateral movement risks.
• Utilize Multicloud Visibility & Control solutions to detect and respond to anomalous activities across cloud environments.
• Apply Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.
• Regularly update and patch FortiGate devices to address known vulnerabilities and reduce the attack surface.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2025-59718

Affected Products:

Exploit Status:

References:

CVE-2025-59719

Affected Products:

Exploit Status:

References:

CVE-2026-24858

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Exploit Public-Facing Application

Valid Accounts

Disable or Modify Network Device Firewall

Exploitation of Remote Services

Masquerading

Command and Scripting Interpreter: PowerShell

OS Credential Dumping

Exfiltration Over C2 Channel

Potential Compliance Exposure

PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA Zero Trust Maturity Model 2.0 – Identity and Access Management

NIS2 Directive – Cybersecurity Risk Management Measures

HIPAA – Risk Analysis

Sector Implications

Health Care / Life Sciences

Government Administration

Information Technology/IT

Computer/Network Security

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads