The compromises pivot on exploiting vulnerabilities to extract device configuration files, which often contain service account credentials and detailed network topology, providing a roadmap for lateral movement.
A primary vulnerability being exploited is tracked as CVE-2025-59718. The flaw resides in the Single Sign-On (SSO) mechanism of affected Fortinet products. According to the report, the system fails to properly validate cryptographic signatures on SSO tokens. This allows an unauthenticated attacker to send a specially crafted token and gain administrative access to the firewall appliance, effectively bypassing all perimeter security.
Once inside, attackers have been observed moving swiftly. SentinelOne’s Digital Forensics & Incident Response (DFIR) team noted that the time between the initial perimeter breach and internal network compromise ranged from nearly instantaneous to two months, highlighting a varied but significant threat.
The incident response investigations revealed a critical security gap in many affected organizations: a failure to retain sufficient logs on the firewall appliances. This lack of data severely hampered efforts to determine the exact timing and method of the initial breach. Attackers frequently abuse the appliance’s deep integration with authentication services like Active Directory and LDAP to harvest credentials.
Fortinet has released patches for the affected products, and administrators are urged to update their systems immediately. Defenders should consult official Fortinet PSIRT advisories for detailed information on patched versions. According to the SentinelOne report, organizations should also focus on improving log retention for network edge devices and reviewing accounts with access to the appliances to detect potential misuse.
This string of incidents underscores the critical importance of securing network perimeter devices. Firewalls, often trusted to be the first line of defense, can become a single point of failure if not properly maintained and monitored. The ability of attackers to leverage these devices to steal authentication data highlights the need for robust internal network segmentation and vigilant monitoring for anomalous activity, even from trusted systems.
Follow Hashlytics on Bluesky, LinkedIn , Telegram and X to Get Instant Updates
