🎯Think of FortiGate like a security guard for your data. Some bad guys found ways to trick the guard and get inside, stealing important information. Now, there are even bigger holes in the security system that need fixing fast!
What Happened
Imagine waking up to find that someone has broken into your house and taken your most valuable belongings. This is what happened with FortiGate systems, where serious security flaws allowed attackers to compromise service accounts. These vulnerabilities let hackers access sensitive configurations and abuse Active Directory (AD) credentials, leading to unauthorized deployments of Remote Monitoring and Management (RMM) tools.
The situation escalated as attackers could exfiltrate NTDS files, which contain critical information about user accounts and passwords. This breach raises alarms not just for FortiGate users but for anyone relying on these systems for secure access management. The implications are far-reaching, affecting the integrity of networks and the safety of sensitive data.
In addition to the FortiGate vulnerabilities, Fortinet has disclosed critical flaws in its FortiSandbox platform, including two rated as critical with a CVSS score of 9.1. These vulnerabilities could allow unauthenticated remote attackers to execute arbitrary commands and bypass authentication entirely, posing a serious risk to enterprise environments relying on FortiSandbox for advanced threat detection.
Why Should You Care
You might think, "This doesn’t affect me," but consider this: if you use FortiGate for your organization’s security, your accounts and data could be at risk. Imagine leaving your front door unlocked; it’s an invitation for trouble. With these vulnerabilities, attackers can easily manipulate systems, potentially leading to data breaches or unauthorized access to your sensitive information.
If your company uses FortiGate, this is a wake-up call. The stolen credentials could allow hackers to impersonate legitimate users, making it difficult to detect malicious activities. Protecting your accounts is crucial because the consequences of a breach can be devastating, from financial loss to reputational damage. Stay vigilant and proactive.
What's Being Done
FortiGate is aware of the situation and is working on patches to fix these vulnerabilities. Users are urged to take immediate action to secure their systems. Here’s what you should do right now:
- Update your FortiGate software to the latest version as soon as patches are released.
- Review your Active Directory settings to ensure no unauthorized accounts have been created.
- Monitor your network for unusual activities, especially involving service accounts.
Additionally, Fortinet has released patches for vulnerabilities in FortiSandbox, including critical OS command injection and authentication bypass flaws. Organizations are advised to prioritize patching these vulnerabilities immediately to mitigate risks.
Technical Insights
Recent investigations into the exploitation of CVE-2025-59718 have revealed that attackers utilized improper verification of cryptographic signatures to bypass Single Sign-On (SSO) logins on affected FortiGate appliances. This vulnerability allowed attackers to maintain a low-profile posture while systematically compromising additional firewalls before moving to internal network hosts. The initial access vector was traced back to administrative SSO logins using valid accounts, indicating a significant security breach that could have been avoided with better monitoring and configuration management.
The critical vulnerabilities in FortiSandbox include:
- CVE-2026-39808: An OS command injection flaw allowing unauthenticated attackers to execute arbitrary commands.
- CVE-2026-39813: A path traversal vulnerability that enables attackers to bypass authentication controls entirely.
Attack Progression
The attackers began their campaign by enumerating and discovering credentials within the internal environment. They employed tools like Mimikatz to harvest credentials and utilized common administrative tools such as PsExec and Microsoft Remote Desktop for lateral movement. This allowed them to access high-value targets, including domain controllers and servers supporting backup infrastructure. Notably, the attackers created multiple new administrative accounts on the FortiGate device, which is a strong indicator of persistence and further exploitation.
Conclusion
This investigation highlights the critical need for organizations to maintain vigilant monitoring of their network edge devices, as they often serve as initial access points for attackers. The combination of configuration changes, unauthorized account creations, and the exploitation of vulnerabilities like CVE-2025-59718 can lead to severe consequences if not addressed promptly. Organizations using FortiGate should prioritize patch management and enhance their incident response capabilities to mitigate these risks. Furthermore, with the newly disclosed vulnerabilities in FortiSandbox, it is imperative that organizations act swiftly to patch these critical flaws to protect their environments.
The recent vulnerabilities in FortiGate and FortiSandbox highlight a broader trend of security weaknesses in network management systems, necessitating a proactive approach to patch management and incident response.
