Executive Summary
In early June 2024, threat actors actively exploited newly disclosed authentication bypass vulnerabilities in multiple Fortinet products, including FortiOS and FortiProxy. Attackers leveraged these flaws (notably CVE-2024-21762 and CVE-2024-23113) shortly after Fortinet's patch release, gaining unauthorized admin-level access to vulnerable devices. The intruders then extracted system configuration files, risking exposure of sensitive network data and credentials. Several organizations reported compromises and system disruptions, prompting urgent advisories from Fortinet and government agencies to patch immediately and review system integrity.
This incident underscores a dangerous trend: rapid mass exploitation of zero-day vulnerabilities in network security devices. The high-profile breach highlights mounting risks to organizations that delay critical patching and demonstrates the persistent targeting of edge appliances by sophisticated attackers.
Why This Matters Now
Immediate, widespread exploitation of recently patched network device vulnerabilities is accelerating. Organizations relying on unpatched Fortinet appliances are at ongoing risk of credential theft and lateral movement. The urgency to promptly apply security updates and strengthen network segmentation has never been higher amid increasing attacks on security infrastructure.
Attack Path Analysis
Attackers exploited critical authentication bypass vulnerabilities in Fortinet products to gain unauthorized admin access. Leveraging privileged credentials, they escalated their control within targeted cloud or hybrid environments. The threat actors moved laterally to discover and access additional systems and resources. They established outward command and control channels to manage the intrusion. Sensitive configuration files and potentially other data were exfiltrated from the environment. The attack culminated in business impact through data theft, potential disruption, or further persistence.
Kill Chain Progression
Initial Compromise
Description
Exploited unauthenticated access flaws in Fortinet devices to bypass authentication and gain initial admin access.
Related CVEs
CVE-2025-59718
CVSS 9.8An authentication bypass vulnerability in FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to gain administrative access via crafted SAML messages.
Affected Products:
Fortinet FortiOS – 7.0.0 through 7.0.16, 7.2.0 through 7.2.12
Fortinet FortiProxy – 7.0.0 through 7.0.19, 7.2.0 through 7.2.12
Fortinet FortiSwitchManager – 7.0.0 through 7.0.16, 7.2.0 through 7.2.12
Exploit Status:
exploited in the wildCVE-2025-59719
CVSS 9.8An authentication bypass vulnerability in FortiWeb allows unauthenticated remote attackers to gain administrative access via crafted SAML messages.
Affected Products:
Fortinet FortiWeb – 7.0.0 through 7.0.19, 7.2.0 through 7.2.12
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
ATT&CK techniques selected for initial mapping and will be expanded with full enrichment in later iterations.
Exploit Public-Facing Application
Modify Authentication Process
Valid Accounts
OS Credential Dumping
Ingress Tool Transfer
Unsecured Credentials
Automated Exfiltration
Account Discovery
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for All Access
Control ID: 8.3.1
NIS2 Directive – Implementation of Risk Management Measures
Control ID: Art. 21(2)a
NYDFS 23 NYCRR 500 – Cybersecurity Program
Control ID: 500.02
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 8
CISA ZTMM 2.0 – Authentication, Authorization, and Auditing
Control ID: Identity Pillar: Access Management - 2.A
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Fortinet authentication bypass vulnerabilities critically threaten financial institutions' network security infrastructure, potentially exposing sensitive customer data and payment systems to unauthorized access.
Health Care / Life Sciences
Critical Fortinet flaws enable unauthorized admin access to healthcare networks, compromising patient data protection and violating HIPAA compliance requirements for secure medical information systems.
Government Administration
Authentication bypass exploits in Fortinet products pose severe risks to government networks, potentially allowing threat actors to access classified systems and steal sensitive configuration data.
Information Technology/IT
IT organizations face immediate threats from Fortinet vulnerabilities as attackers exploit authentication bypass flaws to compromise network infrastructure and steal critical system configuration files.
Sources
- Hackers exploit newly patched Fortinet auth bypass flawshttps://www.bleepingcomputer.com/news/security/hackers-exploit-newly-patched-fortinet-auth-bypass-flaws/Verified
- Fortinet discloses second authentication bypass vulnerabilityhttps://www.techtarget.com/searchsecurity/news/366619314/Fortinet-discloses-second-authentication-bypass-vulnerabilityVerified
- FortiCloud SSO Login Bypass Vulnerabilities Exploited in the Wildhttps://www.vulncheck.com/blog/forticloud-sso-login-bypassVerified
- Two Fortinet vulnerabilities are being exploited in the wild - patch nowhttps://www.itpro.com/security/two-fortinet-vulnerabilities-are-being-exploited-in-the-wild-patch-nowVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Enforcement of Zero Trust segmentation, policy-based lateral movement controls, inline threat prevention, and strict egress controls would have detected, limited, or stopped the attacker’s progress at multiple stages—from initial exploit to data theft. Continuous threat detection, microsegmentation, and egress enforcement at the cloud network fabric layer are critical to constraining modern attacks that bypass traditional authentication gateways.
Control: Inline IPS (Suricata)
Mitigation: Blocked initial exploit attempts targeting vulnerable Fortinet services.
Control: Zero Trust Segmentation
Mitigation: Prevents unauthorized privilege escalation beyond segmented network boundaries.
Control: East-West Traffic Security
Mitigation: Stops or detects malicious east-west movement between workloads and network segments.
Control: Threat Detection & Anomaly Response
Mitigation: Detects and alerts on suspicious outbound connections and command channels.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents unauthorized data exfiltration over outbound network paths.
Enables rapid detection and response, minimizing operational damage.
Impact at a Glance
Affected Business Functions
- Network Security
- Remote Access
- Data Protection
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive configuration files, including hashed credentials and network configurations, leading to unauthorized access and data breaches.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy inline network-based intrusion prevention (IPS) to detect and block exploit attempts targeting critical external interfaces.
- • Enforce Zero Trust segmentation and microsegmentation to prevent lateral movement and restrict privileged access.
- • Enable rigorous east-west traffic policies and real-time anomaly detection to identify hidden threats across all cloud network paths.
- • Apply strict egress filtering and DNS/FQDN-based controls to contain data exfiltration attempts at the cloud perimeter.
- • Establish centralized, multi-cloud visibility and automated threat response to accelerate incident containment and recovery.
