Threat actors are actively targeting Fortinet FortiGate next-generation firewalls (NGFWs) to gain initial access into enterprise networks. Recent campaigns leverage authentication bypass vulnerabilities affecting FortiCloud Single Sign-On (SSO) functionality, allowing attackers to obtain administrative access to exposed devices.
Once access is obtained, attackers are able to export the device configuration, gaining visibility into network architecture, firewall policies, and authentication integrations such as Active Directory or LDAP.
This intelligence can be used to pivot deeper into internal networks.
Organisations operating internet-accessible FortiGate appliances should review exposure and apply mitigations immediately.
Vulnerabilities Observed
The following vulnerabilities have been associated with active exploitation activity:
• CVE-2025-59718 – FortiCloud SSO authentication bypass
• CVE-2025-59719 – FortiCloud SSO authentication bypass
• CVE-2026-24858 – Additional authentication bypass affecting SSO mechanisms
These vulnerabilities may allow attackers to authenticate to the FortiGate administrative interface without valid credentials.
Observed Attack Behaviour
SOC investigations and threat-intelligence reporting indicate a consistent attack pattern:
1. Initial Access
Attackers target internet-exposed FortiGate management interfaces and exploit SSO authentication weaknesses to obtain administrative access.
2. Configuration Export
Once authenticated, attackers download the firewall configuration file.
Configuration files often contain sensitive operational information including:
• Internal network addressing and segmentation
• VPN configuration details
• Firewall policy structure
• Authentication integrations with AD, LDAP, or RADIUS
• Stored authentication secrets used for directory integration
3. Persistence
Attackers may establish persistence through configuration changes such as:
• Creating new administrator accounts
• Modifying remote management settings
• Altering firewall policies
4. Internal Reconnaissance
Using the configuration data, attackers gain insight into the internal network environment and may begin reconnaissance activities targeting directory services and internal systems.
This stage is often where suspicious behaviour is first detected.
Why Firewalls Are Being Targeted
Perimeter security appliances provide attackers with a high-value vantage point inside enterprise environments.
A compromised firewall can reveal:
• network architecture
• trust boundaries
• authentication infrastructure
• security policy design
This intelligence significantly reduces the effort required to move laterally within an organisation.
Defensive Actions Recommended
Organisations operating FortiGate appliances should take the following actions immediately.
Patch FortiGate Firmware
Ensure devices are updated to firmware versions that address the listed CVEs.
Restrict Administrative Access
Management interfaces should never be directly exposed to the public internet. Administrative access should be limited to:
• management VLANs
• bastion hosts
• secure VPN access
Disable FortiCloud SSO if Unused
If FortiCloud SSO is not required, disabling the feature reduces exposure to these vulnerabilities.
Enforce Multi-Factor Authentication
Require MFA for all firewall administrative access.
Monitor for Configuration Changes
Investigate any unexpected:
• administrator account creation
• firewall policy modifications
• authentication configuration changes
Increase Network Monitoring
Security teams should watch for indicators such as:
• unusual LDAP queries
• unexpected domain authentication activity
• internal reconnaissance or scanning behaviour
Bottom Line
Firewalls are often viewed purely as defensive controls, but they are also highly privileged infrastructure components.
When compromised, they provide attackers with immediate visibility into the internal structure of an organisation's network.
Organisations should treat firewall platforms with the same security posture applied to identity systems and domain controllers: strict access controls, rapid patching, and continuous monitoring.
