Lead Story | Critical | Enterprise · IT Ops |
|
FortiGate Firewalls Were the Entry Point. Active Directory Was the Destination. One Organization Didn’t Find Out for Three Months.
SentinelOne’s DFIR team responded to multiple incidents where attackers exploited CVE-2025-59718 — a CVSS 9.8 FortiGate authentication bypass — extracted Active Directory credentials directly from the firewall’s own configuration file, and moved laterally across corporate networks. In the worst case documented, the breach began in November 2025 and wasn’t detected until February 2026. The CCCS issued an advisory. Patches exist. Three months is the price of delay.
The underlying vulnerabilities — CVE-2025-59718 (CVSS 9.8) and CVE-2025-59719, both critical-severity authentication bypass flaws in Fortinet’s FortiCloud SSO mechanism — allow an unauthenticated attacker to forge a cryptographically invalid SAML token that FortiGate accepts as legitimate, gaining full administrative access to the appliance without credentials. The Canadian Centre for Cyber Security issued advisory AL25-019 in December 2025; CISA added both CVEs to the Known Exploited Vulnerabilities catalog the same month. A third vulnerability, CVE-2026-24858, extending the same authentication bypass class, was confirmed under active exploitation by January 2026. Despite this, SentinelOne’s DFIR engagements in early 2026 found organizations still running unpatched FortiGate appliances exposed to the internet — and attackers who knew exactly where to look.
What made these intrusions particularly damaging wasn’t the firewall compromise itself — it was what came after. FortiGate appliances routinely store LDAP and Active Directory service account credentials in their configuration files, used to authenticate users against the corporate directory. Once attackers gained administrative access to the device, they extracted the configuration file and decrypted it. The LDAP service account credentials inside gave them authenticated access to the AD environment. From there, they enrolled rogue workstations into the domain, mapped user roles and group memberships, escalated privileges, and moved laterally across the network with the quiet authority of a service account that every domain controller trusted. In the most severe case, a new local administrator account named “support” was created on the FortiGate and used to build four new firewall policies granting unrestricted access across all network zones — a setup that went undetected from November 2025 through February 2026.
SentinelOne reports that attackers were contained before exfiltration occurred in each engagement — but the early warning signal never came from the compromised firewall. It came from endpoint telemetry, catching the lateral movement the perimeter device had quietly enabled. The firewalls generated no useful alert of their own. The affected sectors across the engagements included healthcare, government, and managed service providers: environments where a compromised AD is not just an IT incident but a regulatory and operational crisis. Patches are available for all affected Fortinet products. Disabling FortiCloud SSO on internet-facing appliances pending upgrade is the immediate mitigation for organizations that cannot patch at once.
→ Key Takeaway Patch FortiGate now and audit your config files. If your FortiGate stores AD or LDAP service account credentials, rotate those credentials immediately — treat them as compromised if the device was internet-exposed and unpatched after December 2025. Apply fixes for CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858 across FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb. If patching is delayed, disable FortiCloud SSO. Review AD logs for new device enrollments, new local admin accounts, or unusual service account activity since November 2025. |
Quick Hits
| 01 |
Citrix CVE-2026-3055: Federal Agencies Must Patch by Tomorrow — and Exploitation Is Already Confirmed
CVE-2026-3055 (CVSS 9.3) is a memory corruption vulnerability in Citrix NetScaler ADC and NetScaler Gateway that surfaces specifically when the appliance is running as a SAML Identity Provider. A malformed SAML input causes the device to read beyond the bounds of allocated memory, which an unauthenticated attacker can weaponize to extract session material and authentication tokens from the appliance. CISA added CVE-2026-3055 to the KEV catalog on March 31 and set a federal patching deadline of April 2, 2026 — tomorrow. Active exploitation has been confirmed; security researchers noted active reconnaissance against NetScaler SAML endpoints weeks before CISA’s KEV addition. CISA urges all private organizations to treat the April 2 deadline as binding regardless of federal status. CISA KEV / Dataconomy →
| Critical | Enterprise · Cloud+DevOps |
|
| 02 |
Android CVE-2026-21385: A Qualcomm Zero-Day Affecting 234 Chipsets Is Under Targeted Active Exploitation — Apply the March Patch Now
CVE-2026-21385 (CVSS 7.8) is a buffer over-read in Qualcomm’s graphics component that ships in 234 chipset models — meaning the vast majority of Android devices in corporate fleets are potentially affected. Google confirmed in its March 2026 Android Security Bulletin that there are “indications that CVE-2026-21385 may be under limited, targeted exploitation” — language that historically signals nation-state or surveillance-tooling-level use. CISA added the flaw to the KEV catalog on March 3. The fix is included in the 2026-03-05 security patch level, released as part of the March 2026 Android update batch addressing 129 vulnerabilities in total. If your organization manages Android devices through an MDM solution, confirm the March 2026 patch level has been pushed and applied across the fleet. Unmanaged and BYOD Android devices are the more likely blind spot. The Hacker News →
|
CVE Watch
|
Patch of the Day
VMware Aria Operations — Unauthenticated Command Injection, Active Exploitation Confirmed
CVE-2026-22719 is a command injection vulnerability in VMware Aria Operations (formerly vRealize Operations) that allows an unauthenticated attacker to execute arbitrary commands while a support-assisted product migration is in progress. Affected versions include Aria Operations 8.x through 8.18.5 and 9.x through 9.0.1. CISA added the flaw to its KEV catalog on March 3, 2026. The federal patching deadline of March 24 has passed; organizations in the private sector that have not yet applied the fix remain exposed. Upgrade to Aria Operations 8.18.6 or 9.0.2. A shell script workaround (“aria-ops-rce-workaround.sh”) is available from Broadcom for environments that cannot patch immediately, but it does not address related CVEs in the same advisory — upgrading to the fixed version is the only complete remediation.
| Vendor: Broadcom (VMware) · Affected: Aria Operations 8.x – 8.18.5, 9.x – 9.0.1 · Patched: 8.18.6 / 9.0.2 · Exploited: Confirmed (CISA KEV, Mar 3) |
|
Compliance Tip of the Day
|
NIST CSF 2.0 — PR.PS — Protect: Platform Security
Your Firewall’s Config File Is a Credential Store. Treat It Like One.
PR.PS-01 requires that configurations of hardware and software are maintained, documented, and reviewed regularly to reduce attack surface. The FortiGate intrusions make this control concrete: the firewall’s configuration file contained encrypted AD service account credentials that attackers decrypted after gaining administrative access. The vulnerability that gave them that access — a SAML authentication bypass — was patched months before the intrusions occurred. PR.PS is not just about patching; it’s about knowing what your platforms store, what permissions they have, and what the blast radius looks like if they’re compromised. Action: Audit every network appliance (firewalls, VPNs, load balancers) for stored credentials. Remove AD service account credentials from appliance configurations where possible and replace with purpose-limited service accounts scoped only to directory lookups. Where credentials must remain, rotate them immediately and confirm that the account has no lateral movement capability beyond its intended function.
|
|
HARDENED | This newsletter does not constitute professional security advice. Security configurations and threat landscapes vary by organization. Consult a qualified security professional for implementation guidance specific to your environment. How we work: HARDENED uses AI agents for research, drafting, and automation. Every issue is reviewed by humans before publication. If you spot an error, reply directly — we correct the record promptly. Sources: SentinelOne DFIR (FortiGate Edge Intrusions, March 12, 2026) · Canadian Centre for Cyber Security Advisory AL25-019 (CVE-2025-59718/59719), cyber.gc.ca · CISA Advisory (CVE-2026-24858, January 28, 2026), cisa.gov · CISA KEV catalog, cisa.gov/kev · Rapid7 ETR (CVE-2025-59718/59719) · The Hacker News (FortiGate credential theft, March 2026) · Dataconomy (Citrix CVE-2026-3055 KEV, March 31, 2026) · Help Net Security (CVE-2026-3055) · The Hacker News (Android CVE-2026-21385 / Qualcomm zero-day, March 2026) · Google Android Security Bulletin March 2026 · CISA KEV (CVE-2026-21385, March 3, 2026) · The Hacker News (VMware Aria Operations CVE-2026-22719) · Broadcom VMSA-2026-0001 · NIST CSF 2.0, nist.gov/cyberframework |
|
