Two Months After Patches, FortiGate SSO Exploitation Is Still Breaking Networks

CybrPulse

CybrPulse

3 min read
Two Months After Patches, FortiGate SSO Exploitation Is Still Breaking Networks

Attackers haven't moved on from Fortinet. SentinelOne's incident responders published a new analysis of ongoing FortiGate network breaches — and the same playbook that's been running since late 2025 is still working in March 2026.

Patches exist. Organizations just aren't applying them fast enough.

What's Being Exploited

The attack chain centers on three vulnerabilities in FortiOS's Single Sign-On (SSO) implementation:

  • CVE-2025-59718 and CVE-2025-59719 — both involve improper verification of cryptographic signatures in FortiCloud SAML authentication. They affect FortiOS 7.0 through 7.6, FortiProxy, and FortiSwitchManager. Fortinet patched these, then confirmed fully patched devices were still getting hit through a related flaw.
  • CVE-2026-24858 — the one severe enough to force Fortinet to temporarily shut down FortiCloud SSO entirely on January 26. An authentication bypass via an alternate path (CWE-288) in FortiOS, FortiManager, FortiWeb, FortiProxy, and FortiAnalyzer. CISA added it to its Known Exploited Vulnerabilities catalog on January 27, 2026.

The mechanics are straightforward: exploit SSO, and FortiOS hands over the full device configuration file. Because FortiOS uses reversible encryption for those files, embedded service account credentials come out in plaintext. From there, Active Directory is exposed.

Two Campaigns, Same Entry Point

SentinelOne documented two distinct intrusion chains from the same vulnerability series.

Incident 1 (late 2025 through February 2026): Attackers created a local admin account named "support." After extracting LDAP service account credentials from the stolen config file, they used default Active Directory settings to join two rogue workstations to the victim's domain. Then came large-scale password spraying using SoftPerfect Network Scanner and sustained network enumeration. This phase ran for weeks before detection — enabled almost entirely by inadequate log retention.

Incident 2 (January 2026): Faster and more aggressive. Attackers created an "ssl-admin" account on the compromised firewall, then moved directly to hijacking a Domain Administrator account within minutes. They deployed legitimate RMM tools — Pulseway and MeshAgent — disguised as Java updates. Payloads were hosted on Google Cloud Storage and AWS S3 to evade perimeter detection. The campaign ended with exfiltration of NTDS.dit via Volume Shadow Copy backup. That's the entire Active Directory database: every account, every password hash.

Why This Keeps Working

Poor log retention is the recurring thread. Firewall logs weren't kept long enough to reconstruct the initial compromise in either incident. Attackers know this. If edge device logs are gone within 24-48 hours, incident responders are working blind.

CybrPulse has tracked 414 Fortinet and FortiGate-related stories across our security feeds since January 1, 2026. March alone has produced 84 so far. The volume reflects sustained real-world activity — this isn't fading.

The other factor: CVE-2025-59718 and CVE-2025-59719 were patched, but CVE-2026-24858 was a separate bypass that those patches didn't address. Organizations that patched early and considered themselves covered weren't. CISA's advisory made that explicit.

What to Check Right Now

If you're running FortiOS with FortiCloud SSO enabled — or if it was enabled when these CVEs were disclosed — treat it as a potential compromise until you've checked.

Immediate steps:

  • Apply all current Fortinet patches for CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858
  • Review firewall audit logs for unexpected configuration downloads
  • Hunt for local accounts named "support" or "ssl-admin" on FortiGate devices
  • Monitor Windows Event ID 4741 on Domain Controllers for unauthorized computer account creation
  • Check computer objects for missing Service Principal Names — a reliable indicator of rogue machines joined via LDAP abuse

IOCs to add to your detection stack:

  • `ndibstersoft[.]com` — Incident 2 C2 for Java-sideloaded payloads
  • `neremedysoft[.]com` — Incident 2 C2
  • `185.156.73[.]62`, `185.242.246[.]127` — Incident 1 attack-source IPs
  • `193.24.211[.]61` — Incident 1 threat actor connection via the "support" account
  • Downloads from `fastdlvrss[.]s3[.]us-east-1[.]amazonaws[.]com`

On logging: Fourteen days of retention on edge devices is a floor. Sixty to ninety days is realistic for meaningful incident response. If you're not forwarding firewall logs to a SIEM in real time, you're giving attackers a head start on cleanup.

CVE-2026-24858 has been in CISA's KEV since January 27. The organizations showing up in SentinelOne's incident reports either didn't patch, or patched the earlier SSO flaws and assumed that was enough. It wasn't. If you're running any Fortinet edge device with FortiCloud SSO, patch now and check your logs before assuming you're clean.

*Sources: SentinelOne (March 2026 incident analysis), CISA advisory CVE-2026-24858, Fortinet PSIRT advisories FG-IR-26-060 and FG-IR-25-647, NVD CVE-2025-59718.*

Read more