A sustained wave of targeted intrusions is actively exploiting three critical authentication bypass vulnerabilities in Fortinet's FortiGate next-generation firewalls and associated management products. All three vulnerabilities—CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858—carry a CVSS v3.1 score of 9.8 and allow attackers to circumvent FortiCloud single sign-on (SSO) authentication by submitting malformed SAML responses or abusing cross-account authentication logic. Exploitation activity has been confirmed since at least November 2025 across healthcare, government, and managed service provider environments, and all three vulnerabilities are listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
Organizations that applied patches for CVE-2025-59718 and CVE-2025-59719 were not protected from the subsequent campaign; CVE-2026-24858 emerged in January 2026 as a zero-day exploiting a distinct authentication path that persists on systems patched for the earlier pair. Researchers have documented attacker access windows of as little as ten minutes between initial compromise and successful Active Directory credential theft, with a fully scripted post-exploitation chain that downloads device configuration files, decrypts stored LDAP credentials, and enrolls unauthorized workstations in the domain before deploying persistent remote access tools and Java-based malware.
The breadth of affected products—spanning FortiOS, FortiProxy, FortiWeb, FortiAnalyzer, FortiManager, and FortiSwitchManager—means organizations with comprehensive Fortinet deployments face simultaneous exposure across their network perimeter, web application gateway, and centralized management infrastructure. The combination of unauthenticated remote exploitation, credential theft, and observed Initial Access Broker (IAB) behavior patterns makes this campaign a high-priority remediation and threat hunting target for any organization running affected Fortinet products on unpatched firmware.
CVE-2025-59718, with a CVSS v3.1 score of 9.8, is an improper verification of cryptographic signature vulnerability affecting FortiOS versions 7.0.0 through 7.0.17, 7.2.0 through 7.2.11, 7.4.0 through 7.4.8, and 7.6.0 through 7.6.3; FortiProxy versions 7.0.0 through 7.0.21, 7.2.0 through 7.2.14, 7.4.0 through 7.4.10, and 7.6.0 through 7.6.3; and FortiSwitchManager versions 7.0.0 through 7.0.5 and 7.2.0 through 7.2.6. An unauthenticated remote attacker can submit a specially crafted SAML response to bypass the FortiCloud SSO login mechanism and gain full administrative access to the device without valid credentials. Remediated releases are FortiOS 7.0.18, 7.2.12, 7.4.9, and 7.6.4 or later; FortiProxy 7.0.22, 7.2.15, 7.4.11, and 7.6.4 or later; and FortiSwitchManager 7.0.6 and 7.2.7 or later. CISA added this vulnerability to the KEV catalog on December 16, 2025.
CVE-2025-59719, with a CVSS v3.1 score of 9.8, is a related improper cryptographic signature verification flaw affecting Fortinet FortiWeb versions 7.4.0 through 7.4.9, 7.6.0 through 7.6.4, and 8.0.0. It similarly allows unauthenticated attackers to bypass FortiCloud SSO by submitting crafted SAML messages, targeting web application firewall deployments as a parallel entry path into organizations that may have prioritized FortiOS patching. Fixed release information for affected FortiWeb versions should be obtained directly from Fortinet's PSIRT portal at fortiguard.fortinet.com, as specific remediation builds were not universally published at time of writing.
CVE-2026-24858, with a CVSS v3.1 score of 9.8, represents a distinct zero-day authentication bypass that emerged in active exploitation in January 2026. Unlike CVE-2025-59718 and CVE-2025-59719, this vulnerability allows any attacker who possesses a valid FortiCloud account with at least one registered device to authenticate into other organizations' Fortinet devices where FortiCloud SSO is enabled—effectively enabling cross-account impersonation at scale. Affected products include FortiAnalyzer 7.0.0 through 7.0.15, 7.2.0 through 7.2.11, 7.4.0 through 7.4.9, and 7.6.0 through 7.6.5; FortiManager in the same ranges; FortiOS 7.0.0 through 7.0.18, 7.2.0 through 7.2.12, 7.4.0 through 7.4.10, and 7.6.0 through 7.6.5; FortiProxy 7.0.0 through 7.0.22, 7.2.0 through 7.2.15, 7.4.0 through 7.4.12, and 7.6.0 through 7.6.4; and FortiWeb 7.4.0 through 7.4.11, 7.6.0 through 7.6.6, and 8.0.0 through 8.0.3. Fixed releases include FortiOS 7.6.6, 7.4.11, 7.2.13, and 7.0.19; FortiManager 7.6.6, 7.4.10, 7.2.13, and 7.0.16; FortiAnalyzer 7.6.6, 7.4.10, 7.2.12, and 7.0.16; FortiProxy 7.6.6 and 7.4.13; and FortiWeb 8.0.4, 7.6.7, and 7.4.12. CISA added CVE-2026-24858 to the KEV catalog on January 27, 2026 and mandated remediation for federal agencies by January 30, 2026.
Successful exploitation of these vulnerabilities grants attackers full administrative control over FortiGate devices and, by extension, unrestricted access to the network zones those devices protect. Documented intrusions follow a consistent and highly automated post-exploitation chain: attackers download the device configuration file within minutes of initial access, decrypt LDAP service account credentials stored within it, authenticate to Active Directory using those cleartext credentials, enroll rogue workstations in the domain, and deploy persistent access through commercial remote monitoring and management tools including Pulseway and MeshAgent. In multiple confirmed incidents, this chain culminated in the exfiltration of the NTDS.dit file and SYSTEM registry hive—a complete Active Directory credential dump that provides attackers with persistent, domain-wide access capable of surviving firewall patching and enabling ransomware deployment, prolonged espionage, or resale of access through Initial Access Broker networks. The involvement of Java-based malware delivered via DLL side-loading further complicates detection and eradication.
For organizations in the healthcare, government, and managed service provider sectors documented as targets of this campaign, the compliance and legal implications are significant. Under HIPAA, unauthorized access to systems that store or transmit protected health information triggers breach notification requirements regardless of whether exfiltration of patient records is confirmed—the Active Directory credential dump alone may constitute a reportable incident under many state breach notification statutes. Government contractors and federal agencies are subject to the CISA KEV remediation mandates, and evidence of exploitation during the window of active campaign activity may require disclosure under FISMA. For MSPs, compromise of a managed FortiGate device creates potential liability to downstream clients whose environments were accessible through the breached device, amplifying the business impact well beyond the MSP's own infrastructure.
All organizations operating Fortinet products affected by CVE-2025-59718, CVE-2025-59719, or CVE-2026-24858 should treat this as a priority remediation effort given active exploitation, CISA KEV listings, and the speed of post-exploitation credential theft documented in confirmed incidents.
1. Immediately apply vendor-supplied patches to all affected FortiOS, FortiProxy, FortiSwitchManager, FortiWeb, FortiAnalyzer, and FortiManager instances, prioritizing the fixed versions for CVE-2026-24858, which represents the most recent and actively exploited variant and requires updated builds distinct from CVE-2025-59718 and CVE-2025-59719 patches.
2. Disable FortiCloud SSO on all devices where it is not operationally required; where it must remain enabled, restrict management interface access by source IP allowlist and audit all registered FortiCloud accounts for unauthorized entries.
3. Immediately audit local administrator account lists on all FortiGate devices for unauthorized accounts—particularly any accounts named "support" or "ssl-admin"—and review firewall policy tables for recently added rules that permit unrestricted traffic across network zones.
4. Conduct a targeted Active Directory investigation covering: new computer object enrollments since November 2025, changes to domain administrator or privileged group membership, authentication events from FortiGate management IP addresses, and signs of NTDS.dit access such as volume shadow copy creation or ntdsutil execution.
5. Configure a minimum 14-day log retention policy on all FortiGate devices and forward logs in real time to a SIEM or centralized log management platform; insufficient logging directly impaired incident timeline reconstruction in multiple confirmed cases and is a persistent gap that must be closed before future incidents occur.
Organizations should further consider engaging a proactive threat hunt to determine whether compromise occurred during the active exploitation window from November 2025 through the present, as attackers who established persistent access via domain-enrolled workstations or deployed RMM agents may retain access even after the firewall vulnerabilities are patched.
1898 & Co. provides comprehensive security services for organizations operating Fortinet infrastructure across critical infrastructure, healthcare, and government sectors. Our team actively tracks threat campaigns targeting network perimeter devices and can provide rapid assessment of FortiGate patch posture, firewall policy review, and evaluation of active exploitation indicators across client environments. We integrate threat intelligence from vendor advisories and government sources directly into our managed security operations workflow to ensure that campaigns of this severity receive immediate attention.
Our managed detection and response capabilities are specifically tuned to identify the post-exploitation behaviors documented in this campaign—unauthorized admin account creation, LDAP credential extraction, RMM tool deployment, and DLL side-loading activity—through real-time analysis of endpoint telemetry and network flow data. 1898 & Co. combines deep expertise in OT and IT security architecture with hands-on incident response experience across the industries most affected by this campaign, enabling us to rapidly characterize blast radius, identify affected assets, and support coordinated containment and recovery.
Clients who have not validated patch status across their Fortinet estate, who suspect exposure during the active exploitation window beginning November 2025, or who require urgent Active Directory forensic review should contact 1898 & Co. immediately. Our team can deploy remote triage capabilities on short notice and can support clients in meeting disclosure obligations and regulatory reporting requirements resulting from confirmed or suspected compromise.