- SentinelOne reports FortiGate NGFW flaws exploited in early 2026
- Three critical bugs (CVE-2025-59718, -59719, -2026-24858) allowed administrator access and persistence
- Patches issued by Fortinet; Companies are urged to rotate credentials, apply strict controls and monitor lateral movement.
Earlier this year, cybercriminals were exploiting three vulnerabilities in FortiGate next-generation firewalls (NGFWs) to establish persistence and move laterally across the network. All recorded attacks were stopped before they could cause significant damage and FortiGate has since released patches to mitigate the risk.
Between December 2025 and February 2026, SentinelOne security researchers observed multiple attacks exploiting three separate vulnerabilities. The first two are tracked as CVE-2025-59718 and CVE-2025-59719 (severity score 9.8/10), and both originate from inadequate verification of cryptographic signatures. These allow unauthenticated attackers to send a crafted SAML token and thereby gain administrative access to FortiGate devices without valid credentials.
The third is tracked as CVE-2026-24858, also with a severity score of 9.8/10 (critical). It was abused as a zero-day in early 2026, allowing attackers to log into FortiGate devices using a completely different account.
Article continues below.
Responding to the news
CVE-2025-59718 was added to CISA’s catalog of known exploited vulnerabilities (KEV) in late January 2026.
In response to the reports, Fortinet first suspended FortiCloud SSO and then released a firmware patch. SentinelOne added that in addition to applying the patch, companies should take a number of steps to protect their infrastructure. That includes rotating all LDAP and AD credentials associated with FortiGate devices (especially if they are suspected of being breached), enforcing strong administrator access controls, replacing weak, default credentials for network edge devices, and monitoring for the creation of unauthorized local administrator accounts.
Finally, organizations should audit the mS-DS-MachineAccountQuota configuration to restrict unauthorized workstations from entering the domain, and should ensure that EDR telemetry from servers adjacent to the NGFW is actively monitored.
Fortinet is a fairly popular manufacturer of enterprise networking equipment and as such is often the target of cybercriminals. Firewalls are typically among the first lines of defense, so organizations are encouraged to patch diligently.
Through Cybersecurity news
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
