- SentinelOne reports FortiGate NGFW flaws exploited in early 2026
- Three critical bugs (CVE-2025-59718, -59719, -2026-24858) enabled administrator access and persistence
- Fortinet issued patches; companies are encouraged to rotate credentials, enforce strong controls and monitor for lateral movement
At the start of the year, cybercriminals exploited three vulnerabilities in FortiGate Next-Generation Firewalls (NGFW) to establish persistence and move laterally through the network. All recorded attacks were stopped before they could do any meaningful damage, and FortiGate has since issued patches to mitigate the risk.
Between December 2025 and February 2026, security researchers SentinelOne observed several attacks that exploited three different vulnerabilities. The first two are tracked as CVE-2025-59718 and CVE-2025-59719 (severity score 9.8/10), and both are rooted in improper verification of cryptographic signatures. These allow unauthorized attackers to send a crafted SAML token and thereby gain administrative access to FortiGate units without valid credentials.
The third is tracked as CVE-2026-24858, also with a severity of 9.8/10 (Critical). It was abused as a zero-day in early 2026, allowing attackers to log into FortiGate units using a completely different account.
The article continues below
Reacting to news
CVE-2025-59718 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog in late January 2026.
In response to the reports, Fortinet first suspended FortiCloud SSO and then released a firmware patch. SentinelOne added that in addition to applying the patch, companies should take a number of steps to secure their infrastructure. It includes rotating all LDAP and AD credentials associated with FortiGate appliances (especially if they are suspected of being breached), enforcing strong administrator access controls, replacing weak and default credentials for network edge devices, and monitoring unauthorized local administrator account creation.
Finally, enterprises should revise mS-DS-MachineAccountQuota settings to limit unauthorized workstations joining the domain and should ensure that EDR telemetry from servers adjacent to the NGFW is actively monitored.
Fortinet is a fairly popular manufacturer of business networking equipment and as such is often targeted by cybercriminals. Typically, firewalls are among the first lines of defense, which is why organizations are advised to patch diligently.
Via Cyber Security News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
