- SentinelOne Reports FortiGate NGFW Flaws Exploited in Early 2026
- Three critical bugs (CVE-2025-59718, -59719, -2026-24858) allowed administrator access and persistence
- Fortinet has released patches; companies urged to rotate credentials, enforce strict controls and monitor lateral moves
Earlier this year, cybercriminals exploited three vulnerabilities in FortiGate Next-Generation Firewalls (NGFW) to establish persistence and move laterally across the network. All recorded attacks were stopped before they could cause significant damage, and FortiGate has since released patches to mitigate the risk.
Between December 2025 and February 2026, SentinelOne security researchers observed several attacks exploiting three distinct vulnerabilities. The first two are tracked as CVE-2025-59718 and CVE-2025-59719 (severity score 9.8/10), and both are due to improper verification of cryptographic signatures. These allow unauthenticated attackers to send a crafted SAML token and thus gain administrative access to FortiGate devices without valid credentials.
The third is tracked as CVE-2026-24858, also with a severity score of 9.8/10 (critical). It was used as a zero-day in early 2026, allowing attackers to log into FortiGate devices using an entirely different account.
Article continues below
Reply to news
CVE-2025-59718 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog in late January 2026.
In response to these reports, Fortinet first suspended FortiCloud SSO and then released a firmware patch. SentinelOne added that in addition to applying the patch, businesses should take a number of steps to secure their infrastructure. This includes rotating all LDAP and AD credentials associated with FortiGate appliances (especially if they are suspected of having been breached), enforcing strict administrator access controls, replacing weak and default credentials for network edge devices, and monitoring the creation of unauthorized local administrator accounts.
Finally, organizations should audit mS-DS-MachineAccountQuota settings to restrict unauthorized workstations joining the domain, and should ensure that EDR telemetry from servers adjacent to the NGFW is actively monitored.
Fortinet is a rather popular manufacturer of enterprise networking equipment and, as such, is often a target for cybercriminals. Usually, firewalls are among the first lines of defense, so organizations are advised to apply patches diligently.
Via Cybersecurity News
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
