- SentinelOne reports FortiGate NGFW flaws exploited in early 2026
- Three critical bugs (CVE-2025-59718, -59719, -2026-24858) enabled admin access and persistence
- Fortinet issued patches; firms urged to rotate credentials, enforce strong controls, and monitor for lateral movement
At the start of the year, cybercriminals were exploiting three vulnerabilities in FortiGate Next-Generation Firewalls (NGFW) to establish persistence and move laterally throughout the network. All recorded attacks were stopped before they could do any meaningful harm, and FortiGate has since issued patches to mitigate the risk.
Between December 2025 and February 2026, security researchers SentinelOne observed multiple attacks leveraging three distinct vulnerabilities. The first two are tracked as CVE-2025-59718 and CVE-2025-59719 (severity score 9.8/10), and both are rooted in improper verification of cryptographic signatures. These allow unauthenticated attackers to send a crafted SAML token and thus gain administrative access to FortiGate devices without valid credentials.
The third one is tracked as CVE-2026-24858, also with a severity score of 9.8/10 (critical). It was abused as a zero-day in early 2026, allowing attackers to log into FortiGate devices using an entirely different account.
Article continues below
Responding to news
CVE-2025-59718 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog in late January, 2026.
In response to the reports, Fortinet first suspended FortiCloud SSO, and after that released a firmware patch. SentinelOne added that besides applying the patch, businesses should take a number of steps to secure their infrastructure. That includes rotating all LDAP and AD credentials associated with FortiGate appliances (especially if they suspect having been breached), enforcing strong admin access controls, replacing weak and default credentials for network edge devices, and monitoring for unauthorized local admin account creation.
Finally, businesses should audit mS-DS-MachineAccountQuota settings to restrict unauthorized workstations joining to the domain, and should make sure EDR telemetry from servers adjacent to the NGFW is actively monitored.
Fortinet is a rather popular maker of business network gear, and as such is often targeted by cybercriminals. Usually, firewalls are among the first lines of defense, which is why organizations are advised to patch diligently.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
