Threat actors exploited vulnerabilities or weak credentials in FortiGate Next-Generation Firewall (NGFW) appliances to breach victim networks. The attackers extracted configuration files containing service account credentials, created rogue administrator accounts, enrolled unauthorized workstations, deployed remote access tools and malware, and exfiltrated sensitive data like NTDS.dit files. Targeted sectors included healthcare, government, and managed service providers.
Initial Access
Firewall Breach
confirmed
Threat actors gained initial access to FortiGate Next-Generation Firewall (NGFW) appliances by exploiting recently disclosed security vulnerabilities (e.g., CVE-2025-59718, CVE-2025-59719, CVE-2026-24858) or by leveraging weak credentials and misconfigurations.
Defender cut points
Patch management for known vulnerabilitiesStrong, unique passwords and multi-factor authentication for all administrative interfacesRegular security audits of firewall configurations
