FortiGate Is Being Actively Looted — Two Attack Chains You Need to Know

If you're running FortiGate NGFWs and haven't patched three specific vulnerabilities from the last 90 days, you have a problem. SentinelOne documented two complete attack chains in early 2026 where threat actors got in, sat quietly, harvested credentials, and were on their way to full domain compromise before anyone noticed.

One of those intrusions started in late November 2025. It wasn't discovered until February 2026 — two months of dwell time.

The Three CVEs Driving This Wave

CVE-2025-59718 and CVE-2025-59719 (CVSS: 9.8) are both rooted in improper verification of cryptographic signatures (CWE-347). An unauthenticated attacker sends a crafted SAML token and walks in as an admin. No credentials needed. CISA flagged CVE-2025-59718 and put it in its Known Exploited Vulnerabilities catalog with a remediation deadline of January 23, 2026. If that deadline has come and gone without a patch in your environment, you're overdue.

CVE-2026-24858 is the one that should really get your attention. This emerged as a zero-day actively exploited in January 2026. The attack path: an attacker logs into your FortiGate device using *their own* FortiCloud account. Not a bypass of a prior patch — a net-new vulnerability. Fortinet's response was to temporarily suspend FortiCloud SSO on January 26 and issue firmware patches that gate the re-enablement of SSO behind the upgrade.

Beyond the CVEs, researchers also noted lower-skilled actors scanning for open FortiGate instances and attempting default credentials. The technical bar for initial access has dropped considerably.

Attack Chain 1: The Quiet IAB

In the first incident, initial access probably came in late November 2025. The attacker ran `show full-configuration` — a legitimate FortiOS admin command — and pulled the entire device config. Here's the problem: FortiOS uses a reversible encryption scheme for those config files. The attacker decrypted embedded service account credentials, specifically the `fortidcagent` Active Directory account, and had domain access without ever touching a workstation.

For two months, activity was minimal. That's consistent with an Initial Access Broker (IAB) verifying the access before selling it.

In February 2026, someone authenticated to Active Directory from IP `193.24.211[.]61` using the decrypted `fortidcagent` credentials. They abused the `mS-DS-MachineAccountQuota` attribute to join two rogue workstations — `WIN-X8WRBOSK0OF` and `WIN-YRSXLEONJY2` — to the corporate domain. Password spraying from the FortiGate appliance's IP and activity linked to SoftPerfect Network Scanner eventually triggered alerts and stopped the lateral movement.

They were close.

Attack Chain 2: RMM Deployment and NTDS Extraction

The second incident moved faster. Within 10 minutes of creating a local admin account named `ssl-admin` on the compromised FortiGate, the attacker was logged into multiple internal servers using domain admin credentials pulled from the same config file decryption trick.

Files were staged in `C:\ProgramData\USOShared`. Two RMM tools were deployed — Pulseway and MeshAgent — hosted on attacker-controlled Google Cloud Storage and AWS S3 buckets. MeshAgent was hidden by setting `SystemComponent=1` in the Windows Registry so it wouldn't appear in Programs and Features.

DLL side-loading via malicious Java-named DLLs beaconed to `ndibstersoft[.]com` and `neremedysoft[.]com`.

Then came the endgame: a Volume Shadow Copy of the primary domain controller, extraction of `NTDS.dit` and the SYSTEM registry hive using `makecab`, and exfiltration to a Cloudflare-owned IP (`172.67.196[.]232`). Local copies deleted afterward.

The entire Active Directory database was gone.

What You Need to Do Now

Patch first. Apply Fortinet firmware addressing CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858. FortiCloud SSO won't come back until you do.

Rotate credentials. Any LDAP or AD service accounts tied to FortiGate appliances — assume they're compromised. Rotate them now, before you confirm a breach.

Check your local admin accounts. Look for accounts named `support`, `ssl-admin`, or `helpdesk` on FortiGate devices. Those names showed up across both incidents.

Look at your logs. SentinelOne noted that insufficient log retention was a significant obstacle in both investigations. Minimum 14 days of FortiGate logs; 60-90 days is where you want to be. If you're at 7 days or less, you're flying blind in a post-incident investigation.

Lock down mS-DS-MachineAccountQuota. By default, domain users can join workstations to the domain. Restricting this attribute removes a key pivot attackers rely on once they have domain user credentials.

Monitor EDR telemetry near the firewall. You can't put an endpoint agent on the FortiGate itself. Watch the servers sitting adjacent to it — that's where the post-exploitation activity shows up first.

The access broker model makes this worse than a single organized threat group. Initial access to your network may have already been sold. The patch deadline for CVE-2025-59718 was January 23. It's now March 15.

Run your asset inventory, identify your FortiGate devices, and check their firmware versions today.

*CybrPulse ingests thousands of security articles daily. This story was surfaced from our feed as a priority-high item published March 15, 2026. Source: SentinelOne via CyberSecurityNews.*