Executive Summary
As of March 10, 2026, threat actors are actively exploiting Fortinet authentication-bypass vulnerabilities to compromise FortiGate and related Fortinet infrastructure, extract service account credentials, and move laterally across victim networks. Three CVEs are central to this campaign: CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858. All three have confirmed exploitation in the wild according to NVD and multiple industry sources [1][2][3]. Patches exist for most affected versions. Defenders should apply updates immediately and rotate any AD/LDAP service account credentials stored in Fortinet device configurations.
Overview
SentinelOne identified campaigns in which attackers exploited FortiGate NGFW appliances using known Fortinet vulnerabilities or weak credentials to obtain configuration files and extract Active Directory/LDAP service account secrets [1]. The attackers used this foothold to create rogue administrative accounts, deploy malicious policies, authenticate to domain infrastructure, and perform network reconnaissance. Follow-on activity included deployment of remote-access tools (Pulseway, MeshAgent), malware staging via cloud storage buckets, and exfiltration of NTDS.dit and SYSTEM hive files.
Affected Products and Vulnerabilities
CVE-2026-24858 (FortiOS, FortiManager, FortiAnalyzer, FortiProxy, FortiWeb)
Vulnerability type: Authentication bypass using an alternate path or channel (CWE-288). Allows an attacker with a FortiCloud account and a registered device to access other devices also registered to FortiCloud when SSO is enabled. Confirmed exploited as a zero-day in some cases [2][3].
Affected Versions:
Product | Affected Version Ranges |
FortiOS | 7.0.0-7.0.18, 7.2.0-7.2.12, 7.4.0-7.4.10, 7.6.0-7.6.5 |
FortiManager | 7.0.0-7.0.15, 7.2.0-7.2.11, 7.4.0-7.4.9, 7.6.0-7.6.5 |
FortiAnalyzer | 7.0.0-7.0.15, 7.2.0-7.2.11, 7.4.0-7.4.9, 7.6.0-7.6.5 |
FortiProxy | 7.0.0-7.0.22, 7.2.0-7.2.15, 7.4.0-7.4.12, 7.6.0-7.6.4 |
FortiWeb | 7.4.0-7.4.11, 8.0.0-8.0.3 |
CVE-2025-59718 (FortiOS, FortiProxy, FortiSwitchManager)
Vulnerability type: Cryptographic signature validation weakness enabling SSO authentication bypass. Severity rated 9.8 (critical) by multiple industry sources [5]. Actively exploited, including against honeypots [4]. Applies when FortiCloud SSO is enabled. Patches released December 9, 2025 [6].
CVE-2025-59719 (FortiWeb)
Same root cause as CVE-2025-59718 but limited to FortiWeb appliances [7]. Also involves SAML message tampering for SSO bypass [8].
Exposure and Exploitability
Attackers use these vulnerabilities to achieve the following:
- Unauthorized administrative access to Fortinet appliances.
- Extraction of configuration files containing LDAP/AD-linked service account credentials.
- Cleartext AD authentication using decrypted service account secrets [1].
- Enrollment of rogue devices into AD, enabling deeper lateral movement.
- Deployment of remote-access tools (Pulseway, MeshAgent), malware staging via cloud storage, and exfiltration of NTDS.dit and SYSTEM hive files [1].
Impact
Successful exploitation results in:
- Full administrative control over Fortinet appliances.
- Credential compromise of AD service accounts.
- Ability to bypass network segmentation and security controls enforced by NGFW/UTM systems.
- High-risk follow-on attacks including domain takeover, ransomware staging, and persistent footholds via remote-access tooling.
MITRE ATT&CK Mapping
Tactic | Technique ID | Description |
Initial Access | T1190 | Exploit Public-Facing Application |
Credential Access | T1003.003 | OS Credential Dumping: NTDS |
Persistence | T1098 | Account Manipulation |
Persistence | T1078 | Valid Accounts (service account abuse) |
Lateral Movement | T1021 | Remote Services |
Discovery | T1135 | Network Share Discovery |
Command and Control | T1219 | Remote Access Software (Pulseway, MeshAgent) |
Command and Control | T1071.001 | Application Layer Protocol: Web Protocols (443 exfil) |
Exfiltration | T1567 | Exfiltration Over Web Service (cloud bucket staging) |
Detection and Telemetry
Security teams should monitor for the following indicators of compromise activity:
- Unexpected local administrator account creation on FortiGate appliances (e.g., the “support” account observed in this campaign) [1].
- Unauthorized policy changes enabling cross-zone traversal or modification of firewall rules.
- FortiCloud SSO authentication events from unknown or unregistered devices.
- Access to NTDS.dit or SYSTEM hive files and outbound encrypted transfers over port 443 to non-trusted endpoints.
- Installation or execution of Pulseway or MeshAgent on systems where those tools are not sanctioned.
- Anomalous outbound connections to cloud storage providers (S3, Azure Blob, GCS) from internal systems that do not normally communicate with those services.
NOTE: No file hashes, IP addresses, or domain-level IOCs have been published by SentinelOne or other reporting sources as of the date of this advisory. Leargas Security will issue a supplementary IOC bulletin if and when specific indicators become available. Defenders should focus on behavioral detection aligned to the ATT&CK techniques above.
Indicators of Compromise
As of March 10, 2026, no atomic IOCs (hashes, IPs, domains) have been publicly released in connection with this campaign. This section will be updated via supplementary bulletin as indicators become available.
In the interim, the following behavioral indicators should be treated as high-confidence detection opportunities:
- New local administrator accounts created on FortiGate appliances outside of approved change windows.
- FortiGate configuration file downloads or exports not correlated to approved administrative activity.
- LDAP/AD authentication attempts using service accounts tied to Fortinet device configurations from non-Fortinet source IPs.
- Pulseway or MeshAgent binaries present on endpoints where those tools are not deployed by IT operations.
Mitigations and Patching
- Immediately update FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb to versions patched beyond the ranges listed above. Consult official Fortinet advisories for specific fixed version numbers.
- Disable FortiCloud SSO until confirmation of patched status for CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858 [6]. Operational note: Disabling FortiCloud SSO will impact centralized management authentication. Before disabling, ensure fallback local administrative credentials are documented and tested, and coordinate with operations teams to avoid management-plane lockout.
- Rotate all AD/LDAP service account credentials stored in Fortinet device configurations. This should be treated as a mandatory action regardless of patch status.
- Enforce multi-factor authentication for all Fortinet administrative interfaces.
- Restrict management-plane access to trusted networks only via ACLs or out-of-band management.
- Review appliance configuration files for unauthorized modification, including rogue admin accounts, unexpected policy changes, and unauthorized VPN configurations.
- Audit FortiCloud device registrations and remove any unrecognized or unauthorized device enrollments.
Timeline
Date | Event |
November 2025 | Attackers compromise FortiGate appliance and create rogue admin account [1]. |
December 9, 2025 | Fortinet releases patches for CVE-2025-59718 and CVE-2025-59719 [6]. |
January 2026 | CVE-2026-24858 disclosed by Fortinet; active exploitation confirmed [9]. |
February 2026 | Attackers extract AD service account credentials and attempt lateral movement across victim environments. |
March 2026 | SentinelOne publishes campaign analysis detailing exploitation chain and post-compromise activity [1]. |
References
- SentinelOne via The Hacker News, “FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials,” March 2026. https://thehackernews.com/2026/03/fortigate-devices-exploited-to-breach.html
- Feedly, “CVE-2026-24858 – Exploits & Severity.” https://feedly.com/cve/CVE-2026-24858
- NVD, “CVE-2026-24858.” https://nvd.nist.gov/vuln/detail/CVE-2026-24858
- CrowdSec, “CVE-2025-59718: Fortinet Auth Bypass Actively Targeted.” https://www.crowdsec.net/vulntracking-report/cve-2025-59718
- TechRadar, “Fortinet products hit by further security flaws.” https://www.techradar.com/pro/security/fortinet-products-hit-by-further-security-flaws…
- CVETodo, “CVE-2025-59718 Fortinet FortiSwitchManager, FortiProxy, FortiOS.” https://cvetodo.com/cve/CVE-2025-59718
- ITPro, “Two Fortinet vulnerabilities are being exploited in the wild.” https://www.itpro.com/security/two-fortinet-vulnerabilities-are-being-exploited-in-the-wild…
- Rescana, “CVE-2025-59718/59719: Fortinet FortiCloud SSO Authentication Bypass.” https://www.rescana.com/post/cve-2025-59718-59719…
- SOC Prime, “CVE-2026-24858: FortiOS SSO Zero-Day Exploited in the Wild.” https://socprime.com/blog/cve-2026-24858-vulnerability/
