CP
cyberpings
VulnerabilitiesHIGH

FortiGate Firewalls Targeted in High-Severity Exploit Wave

CSCyber Security News
CVE-2025-59718CVE-2025-59719CVE-2026-24858FortiGateFortinet
🎯

Basically, hackers are breaking into FortiGate firewalls to steal sensitive information.

Quick Summary

FortiGate firewalls are under attack as hackers exploit critical vulnerabilities. Organizations using these firewalls are at risk of credential theft and network breaches. Immediate patching and credential rotation are essential to mitigate these threats.

The Flaw

In early 2026, a series of intrusions targeted FortiGate? Next-Generation Firewalls (NGFW), exploiting vulnerabilities that allow unauthorized access. The attackers leveraged three critical flaws, particularly CVE-2025-59718 and CVE-2025-59719, both rated at 9.8 on the CVSS scale. These vulnerabilities stem from improper verification of cryptographic signatures, enabling attackers to send crafted SAML? tokens and gain administrative access without valid credentials.

Additionally, CVE-2026-24858, a zero-day? vulnerability, was exploited to log into FortiGate? devices using compromised FortiCloud accounts. This attack path was distinct and not merely a patch bypass, indicating a sophisticated level of exploitation. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE?-2025-59718 to its Known Exploited Vulnerabilities catalog, urging organizations to remediate by January 23, 2026.

What's at Risk

The attacks have significant implications for organizations using FortiGate? firewalls. Once inside, attackers executed commands to extract full configuration file?s, which are stored using a reversible encryption scheme. This allowed them to decrypt sensitive service account credentials, particularly for LDAP and Active Directory (AD) accounts. With these credentials, attackers could pivot into internal networks, posing a severe risk to organizational security.

The incidents reveal a pattern where attackers not only exploit high-severity vulnerabilities but also utilize lower-skill methods, such as scanning for open FortiGate? instances and attempting logins with weak credentials. This lowers the barrier for entry, making it easier for less experienced hackers to gain access.

Patch Status

Fortinet has responded to these vulnerabilities by issuing firmware? patches that address the identified flaws. Organizations are strongly encouraged to apply these patches immediately. The patches are crucial for restoring security and functionality, particularly for the Single Sign-On (SSO) feature, which was temporarily suspended due to the exploits.

Furthermore, organizations should implement a robust log retention policy, with a minimum of 14 days recommended, though 60 to 90 days is ideal. Insufficient log retention has hindered investigations, making it difficult to identify the initial access vector.

Immediate Actions

To protect against these vulnerabilities, organizations should take several immediate actions:

  • Apply all available firmware? patches for CVE?-2025-59718, CVE?-2025-59719, and CVE?-2026-24858.
  • Rotate all LDAP? and AD credentials linked to FortiGate? appliances after any suspected compromise.
  • Enforce strict administrative access controls, eliminating default or weak credentials.
  • Monitor for unauthorized local admin account creation on FortiGate? devices.
  • Regularly audit settings to restrict unauthorized workstation joins to the domain.

By taking these steps, organizations can significantly reduce their risk of falling victim to these ongoing attacks.

💡 Tap dotted terms for explanations

🔒 Pro insight: The exploitation of these vulnerabilities highlights the need for proactive patch management and robust credential policies in enterprise environments.

Original article from

Cyber Security News · Guru Baran

Read Full Article

Share

Related Pings

CRITICALVulnerabilities

Critical RRAS RCE Vulnerabilities Patched in Windows 11

Microsoft released a hotpatch for critical RRAS vulnerabilities in Windows 11. These flaws could allow hackers to execute code remotely. Users should ensure their systems are updated to protect against potential attacks.

Cyber Security News·
HIGHVulnerabilities

March Patch Tuesday Fixes 84 Vulnerabilities Across 15 Products

Microsoft's March Patch Tuesday addressed 84 vulnerabilities across various products. Eight are critical, but none affect Windows directly. Stay updated to protect your systems from potential exploits.

Sophos News·
HIGHVulnerabilities

Microsoft Issues Urgent Hotpatch for Windows 11 RCE Vulnerability

Microsoft has released a critical hotpatch for Windows 11 to fix serious vulnerabilities. Affected devices include Windows 11 Enterprise systems. This update is crucial to prevent remote code execution that could compromise sensitive data.

BleepingComputer·
CRITICALVulnerabilities

Critical Vulnerability in HPE AOS-CX Allows Password Resets

The Flaw Hewlett Packard Enterprise (HPE) has reported a critical-severity vulnerability in its Aruba Networking AOS-CX switches, tracked as CVE-2026-23813. This vulnerability has a CVSS score of 9.8, indicating its severity. It allows attackers to reset administrator passwords remotely and without any authentication, effectively bypassing existing security measures. This flaw affects various models, including the CX 4100i, CX 6000,

SecurityWeek·
HIGHVulnerabilities

Critical LangSmith Vulnerability Exposes Users to Account Takeover

A critical vulnerability in LangSmith could allow hackers to take over user accounts. This flaw affects users who rely on LangSmith for AI data monitoring. Immediate action is required to ensure security and protect sensitive information.

Cyber Security News·
HIGHVulnerabilities

Windows 11 Bug Locks Users Out of System Drive C

A critical bug in Windows 11 is locking users out of their system drives. Affected Samsung devices are unable to access essential applications. Microsoft is investigating the issue and advises users to wait for a patch.

Cyber Security News·