Critical FortiGate NGFW Vulnerabilities Exploited in Early 2026
Between December 2025 and February 2026, attackers actively exploited three severe vulnerabilities in FortiGate Next-Generation Firewalls (NGFW), according to research from SentinelOne. These flaws enabled threat actors to gain unauthorized administrative access, establish persistence, and attempt lateral movement across enterprise networks.
The vulnerabilities—CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858—each received a critical severity rating of 9.8 out of 10, underscoring the substantial risk posed to organizations relying on FortiGate appliances for perimeter defense.
While recorded attacks were reportedly stopped before causing significant damage, the exploitation activity highlights the ongoing targeting of network edge devices by cybercriminal groups.
CVE-2025-59718 and CVE-2025-59719: SAML Authentication Bypass via Improper Signature Verification
Improper Cryptographic Signature Validation Enables Admin Access
CVE-2025-59718 and CVE-2025-59719 stem from improper verification of cryptographic signatures within FortiGate systems. These weaknesses allowed unauthenticated attackers to craft malicious SAML tokens and bypass authentication controls.
By exploiting these flaws, attackers could gain administrative access to FortiGate devices without valid credentials, effectively bypassing standard identity verification mechanisms.
CISA KEV Catalog Inclusion Signals Active Exploitation
CVE-2025-59718 was added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog in late January 2026. Inclusion in the KEV catalog confirms real-world exploitation and places additional urgency on remediation efforts across affected organizations.
CVE-2026-24858: Zero-Day Exploitation for Alternate Account Access
Critical Zero-Day Abuse Enables Unauthorized Logins
The third vulnerability, CVE-2026-24858, was reportedly exploited as a zero-day in early 2026. With a severity rating of 9.8/10, this flaw allowed attackers to log into FortiGate devices using an entirely different account, creating additional opportunities for persistence and privilege abuse.
Zero-day exploitation significantly increases risk exposure because attacks occur before public awareness and patch availability.
Attack Impact: Persistence and Lateral Movement Across Enterprise Networks
SentinelOne observed that attackers used these vulnerabilities to:
- Establish persistent access to FortiGate appliances
- Attempt lateral movement within enterprise environments
- Target credential access and administrative control
Firewalls function as a primary line of defense in corporate infrastructure. When compromised, they can provide adversaries with a powerful foothold at the network edge, enabling expanded access to internal systems.
Although the reported incidents were contained before causing meaningful harm, the attack techniques demonstrate how rapidly threat actors pivot once perimeter devices are breached.
Fortinet’s Response: SSO Suspension and Firmware Patches
FortiCloud SSO Suspended as Immediate Mitigation
In response to exploitation reports, Fortinet initially suspended FortiCloud Single Sign-On (SSO) services. This temporary measure helped reduce exposure while remediation efforts were underway.
Firmware Updates Released to Mitigate Risk
Fortinet subsequently issued firmware patches addressing all three critical vulnerabilities. Organizations running FortiGate NGFW appliances are strongly advised to deploy the latest firmware updates without delay.
Given the high severity ratings and confirmed exploitation activity, timely patch management is essential.
Enterprise Mitigation Recommendations for FortiGate Appliances
Beyond applying patches, SentinelOne recommended additional defensive measures to strengthen enterprise environments:
Rotate LDAP and Active Directory Credentials
Organizations should rotate all LDAP and Active Directory (AD) credentials associated with FortiGate appliances—particularly if compromise is suspected.
Enforce Strong Administrative Access Controls
Security teams should:
- Strengthen administrator authentication policies
- Remove weak or default credentials from network edge devices
- Limit privileged access to essential personnel only
Monitor for Unauthorized Local Admin Account Creation
Active monitoring should focus on detecting unauthorized local administrator account creation on FortiGate systems and adjacent infrastructure.
Audit mS-DS-MachineAccountQuota Settings
Enterprises are advised to audit and restrict mS-DS-MachineAccountQuota settings to prevent unauthorized workstations from joining the domain.
Monitor EDR Telemetry Near the Network Edge
Extended Detection and Response (EDR) telemetry from servers adjacent to FortiGate NGFW appliances should be actively monitored to detect potential lateral movement and suspicious behavior.
Why FortiGate Firewalls Are High-Value Targets for Cybercriminals
Fortinet is a widely deployed provider of enterprise networking and security solutions. Due to their strategic position at the network perimeter, FortiGate firewalls represent high-value targets.
Compromising a firewall can provide attackers with:
- Elevated administrative access
- Credential harvesting opportunities
- Persistent footholds within corporate environments
- A launchpad for lateral movement
This incident reinforces the importance of consistent patch management, strong credential hygiene, and continuous monitoring of network edge devices.