FortiGate Device Breach Using Known Vulnerability Gave Attackers Unrestricted Access

A group of seemingly profit-minded criminal hackers has been spotted seeking out known FortiGate vulnerabilities and exploiting them to sell ongoing access to other threat actors, in at least one case setting up a fake administrator account with full access to all zones.

Attackers increasingly turn to perimeter devices as points of entry

FortiGate Next-Generation Firewall (NGFW) appliances have become an increasingly popular target for hackers recently, due to a perception of common security vulnerabilities (in spite of the broad range of access these appliances tend to have). These weaknesses include documented but unpatched vulnerabilities as well as poor or repeated authentication credentials.

One particular campaign that began in November 2025 saw the attackers target unpatched vulnerabilities, leveraging this access to create an administrator “support” account, create new firewall policies to allow all access, and to maintain and sell persistent access with. The campaign has been documented by security firm SentinelOne, which said that it was likely an established initial access broker (IAB) given that it kept continually checking back in to ensure that it still had access to the victim network.

The second major phase of activity, taking place in February 2026, is likely when the IAB sold access off to another party. The second attack saw the threat actor extract the configuration file containing encrypted service account LDAP credentials, likely decrypting them and returning with clear text credentials to authenticate to the victim’s environment and begin recruiting workstations using Active Directory (AD) authentication. The threat actor then started actively scanning the network, which tipped defenders off to their presence and halted their lateral movement.

FortiGate compromises likely part of broader and larger campaign

Some similar techniques deployed in other observed cases suggest this is part of a broader campaign, and one that seeks out FortiGate appliances as a port of entry but is not exclusively limited to targeting them. Another common marker among victims is a lack of adequate logging on firewalls, making it difficult to determine the exact initial point of entry and time the breach took place. However, the researchers caution that post-compromise actions in these cases sometimes vary significantly and there is not yet conclusive proof that all of these attacks are being perpetrated by the same threat actor.

Specific FortiGate vulnerabilities that have been exploited during this campaign include CVE-2025-59718, CVE-2025-59719 and CVE-2026-24858. All have patches available, but these must be manually applied. Other defensive measures that can be implemented include disabling FortiCloud SSO temporarily, rotating AD/LDAP credentials, and implementing extended periods of log retention ranging up to three months in length.

SentinelOne has noticed that these breaches tend to be detected and stopped as soon as the threat actors attempt lateral movement. Attackers also tend to be “noisy” with password spraying and many failed attempts originating from FortiGate appliance IP addresses. And though they were not likely used in this campaign, the researchers warn that lower-skilled actors purchasing follow-on access from IABs will likely be boosted in their efforts by assistance from jailbroken LLMs going forward.