Critical Fortinet Flaws: Active Attacks Compromise Admin Accounts & Configs
Executive Summary
In May 2024, threat actors began actively exploiting multiple critical vulnerabilities in Fortinet network devices, specifically targeting admin accounts to gain unauthorized access. Once authenticated, attackers exported sensitive device configurations containing hashed credentials and other proprietary information. The exploit allows lateral movement and increases the risk of sensitive enterprise data exposure, with widespread impacts noted across sectors relying on network infrastructure security. Fortinet urged immediate mitigation after observing attacks in the wild, with rapid patch releases and threat intelligence sharing.
This incident highlights a concerning trend of attackers leveraging zero-day or freshly-disclosed vulnerabilities in widely deployed network appliances. As targeting of privileged accounts and network infrastructure rises, organizations must enhance monitoring, patch management, and segmentation strategies to prevent systemic compromise.
Why This Matters Now
Highly critical flaws in network infrastructure are being rapidly weaponized, exposing organizations to credential theft and data exfiltration risks. Unpatched devices are actively targeted, making swift remediation and improved defense for admin-level accounts urgent to prevent widespread operational and regulatory impacts.
Attack Path Analysis
Attackers exploited critical Fortinet flaws to gain initial access with admin credentials, enabling them to authenticate to devices. They escalated privileges by acquiring admin-level control, followed by potential lateral movement across network segments or devices. The attackers maintained command and control over compromised infrastructure and then exfiltrated sensitive configurations and hashed credentials. The impact was exposure of confidential network data, potentially enabling further downstream attacks.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited critical vulnerabilities in Fortinet devices to obtain admin credentials and gain access.
Related CVEs
CVE-2025-59718
CVSS 9.8An authentication bypass vulnerability in FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to gain administrative access via crafted SAML messages.
Affected Products:
Fortinet FortiOS – 7.6.0 through 7.6.3, 7.4.0 through 7.4.8, 7.2.0 through 7.2.1, 7.0.0 through 7.0.17
Fortinet FortiProxy – 7.6.0 through 7.6.3, 7.4.0 through 7.4.10, 7.2.0 through 7.2 ... , 7.0.0 through ...
Fortinet FortiSwitchManager – 7.2.0 through ... , 7.0.0 through ...
Exploit Status:
exploited in the wildCVE-2025-59719
CVSS 9.8An authentication bypass vulnerability in FortiWeb allows unauthenticated remote attackers to gain administrative access via crafted SAML messages.
Affected Products:
Fortinet FortiWeb – 8.0.0, 7.6.0 through ... , 7.4.0 through ...
Exploit Status:
exploited in the wildCVE-2025-64446
CVSS 9.1A relative path traversal vulnerability in FortiWeb allows unauthenticated attackers to execute administrative commands via crafted HTTP or HTTPS requests.
Affected Products:
Fortinet FortiWeb – 8.0.0 through 8.0.1, 7.6.0 through ... 4, 7.4.0 through ... , 7.2.0 through ... 11, 7.0.0 through ... 11
Exploit Status:
exploited in the wildCVE-2025-58034
CVSS 9.8An OS command injection vulnerability in FortiWeb allows authenticated attackers to execute unauthorized code via crafted HTTP requests or CLI commands.
Affected Products:
Fortinet FortiWeb – 7.6.0 through ... , 7.4.0 through ...
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts
Web Protocols
Remote Services: Remote Desktop Protocol
OS Credential Dumping
Account Discovery
Unsecured Credentials
Automated Exfiltration
Data from Local System
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – User Identification and Authentication
Control ID: 8.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 10
CISA ZTMM 2.0 – Privileged Access Management
Control ID: Identity Pillar - Identity Governance
NIS2 Directive – Access Control Policies
Control ID: Art. 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Critical exposure through Fortinet network infrastructure attacks targeting admin accounts, compromising encrypted traffic controls and zero trust segmentation for sensitive financial data protection.
Health Care / Life Sciences
High risk from network infrastructure attacks exploiting Fortinet flaws, threatening HIPAA compliance through compromised admin access and potential exposure of protected health information.
Government Administration
Severe vulnerability to Salt Typhoon-style attacks through compromised Fortinet devices, enabling lateral movement and exfiltration of sensitive government data and communications.
Information Technology/IT
Direct impact from Fortinet infrastructure vulnerabilities affecting multicloud visibility, threat detection capabilities, and client security services across managed IT environments.
Sources
- Critical Fortinet Flaws Under Active Attackhttps://www.darkreading.com/cyberattacks-data-breaches/critical-fortinet-flaws-under-active-attackVerified
- Two Fortinet vulnerabilities are being exploited in the wild - patch nowhttps://www.itpro.com/security/two-fortinet-vulnerabilities-are-being-exploited-in-the-wild-patch-nowVerified
- Fortinet firewalls under active attack, users urged to update nowhttps://cybernews.com/security/fortinet-fortigate-vulnerability-exploit/Verified
- Critical Fortinet SSO Flaws Under Active Attackhttps://dailyfullstack.tech/blog/critical-fortinet-sso-vulnerabilities-cve-2025-59718-59719-active-exploitationVerified
- Fortinet finally cops to critical make-me-admin bug under active exploitationhttps://www.theregister.com/2025/11/14/fortinet_active_exploit_cve_2025_64446/Verified
- Fortinet Confirms Active Exploitation of Critical FortiWeb Vulnerabilityhttps://www.securityweek.com/fortinet-confirms-active-exploitation-of-critical-fortiweb-vulnerability/Verified
- Stealth-patched FortiWeb vulnerability under active exploitation (CVE-2025-58034)https://www.helpnetsecurity.com/2025/11/19/fortiweb-vulnerability-cve-2025-58034/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Enforcing Zero Trust segmentation, strict east-west controls, egress policy, and anomaly detection would have constrained attacker movement and limited the scope of data exfiltration after initial compromise. Applying distributed policy enforcement and continuous visibility helps detect unauthorized activity and prevent lateral spread.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Inline policy enforcement would have detected anomalous authentication patterns.
Control: Zero Trust Segmentation
Mitigation: Least privilege segmentation would have constrained access elevation attempts.
Control: East-West Traffic Security
Mitigation: Lateral traversal between workloads would have been blocked or monitored.
Control: Threat Detection & Anomaly Response
Mitigation: Anomalous command paths or outbound connections would have been detected early.
Control: Egress Security & Policy Enforcement
Mitigation: Unauthorized data exports would have triggered alerts or been blocked.
Centralized observability accelerates containment and response.
Impact at a Glance
Affected Business Functions
- Network Security
- Data Protection
- Access Control
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive configuration files, including hashed credentials and network configurations, leading to unauthorized access and data breaches.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust segmentation to isolate critical admin functions and prevent lateral movement.
- • Enforce strict egress filtering and outbound policy controls to block unauthorized data exfiltration.
- • Deploy continuous threat detection and anomaly monitoring to surface suspicious admin activities early.
- • Regularly update and patch network infrastructure to close exploitable vulnerabilities.
- • Centralize visibility and apply distributed enforcement to quickly detect and contain threats across environments.
