惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

IT之家
IT之家
NISL@THU
NISL@THU
The Hacker News
The Hacker News
C
CXSECURITY Database RSS Feed - CXSecurity.com
T
Tenable Blog
Forbes - Security
Forbes - Security
V2EX - 技术
V2EX - 技术
Webroot Blog
Webroot Blog
Schneier on Security
Schneier on Security
T
The Exploit Database - CXSecurity.com
T
Tor Project blog
C
Cisco Blogs
TaoSecurity Blog
TaoSecurity Blog
The Last Watchdog
The Last Watchdog
PCI Perspectives
PCI Perspectives
O
OpenAI News
C
Cyber Attacks, Cyber Crime and Cyber Security
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Google Online Security Blog
Google Online Security Blog
宝玉的分享
宝玉的分享
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
量子位
D
Docker
AI
AI
Blog — PlanetScale
Blog — PlanetScale
S
Security @ Cisco Blogs
S
Schneier on Security
The GitHub Blog
The GitHub Blog
W
WeLiveSecurity
云风的 BLOG
云风的 BLOG
M
MIT News - Artificial intelligence
P
Privacy International News Feed
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
H
Hackread – Cybersecurity News, Data Breaches, AI and More
B
Blog
C
Check Point Blog
A
About on SuperTechFans
D
Darknet – Hacking Tools, Hacker News & Cyber Security
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Engineering at Meta
Engineering at Meta
I
InfoQ
T
Threat Research - Cisco Blogs
Project Zero
Project Zero
Cloudbric
Cloudbric
MongoDB | Blog
MongoDB | Blog
Cisco Talos Blog
Cisco Talos Blog
L
Lohrmann on Cybersecurity
S
Securelist

Truesec

Russian Intelligence Targets SOHO Routers - Truesec Cyber Warfare in the Iran War - Truesec Organized Cybercrime Merging with Other Crime - Truesec AI Used in Ransomware Attack The Fortibleed Campaign: Truesec's Experience Fortibleed: Truesec's Experience Supply Chain Attack Compromising Arch Linux AUR Packages with Infostealer and Rootkit - Truesec Critical Vulnerabilities in Ivanti Sentry Allows Code Execution as Root (CVE-2026-10520 & CVE-2026-10523) Typosquatting: When Your Domain Is Used Against You AI in Cybersecurity: Separating Operational Reality from Speculation Compromised @redhat-Cloud-Services Npm Packages Distribute Credential-Stealing Worm GitHub Hacks Highlights Need for Repository Security Installation of a Syslog Log Collector Critical Cisco Secure Workload Vulnerability Allows Unauthenticated Site Admin Access (CVE-2026-20223) Securing IT, OT, and IoT When the Digital Meets the Physical Russia Rolls Out Surveillance Through State-Backed “Super App” MAX Device Code Phishing via Fake File-Sharing Invitation Active Exploitation of PAN‑OS Authentication Portal RCE - Truesec Windows Client Security Baselines: When Assumptions Meet Incident Response Reality - Truesec Entra ID Password Protection: From “P@ssw0rd” to Protected GitHub Under Attack: How Small Exposures Snowball into Large‑Scale Compromises European Risks Linked to the U.S. – Iran Conflict Mythos: What It Actually Means and What It Does Not Russian Espionage Campaign Targets Home Routers How Nordic Organizations Must Adjust Their Cybersecurity to a Changing Operating Environment Critical Vulnerability in “Ninja Forms – File Upload” WordPress Plugin (CVE-2026-07409) Iranian APT Target US Critical Infrastructure Remote Access – Is VPN the Almighty Solution? Malicious Axios Packages Published to npm in New Supply Chain Compromise RCE Vulnerability in F5 BIG-IP APM (CVE-2025-53521) No Further Increase in Iranian Cyber Operations Malicious PyPI Package – LiteLLM Supply Chain Compromise Dutch Intelligence Warns of Russian Campaign Against Signal and Whatsapp Users Multiple Vulnerabilities, One Critical, in Ubiquiti UniFi Network Application
FortiNet SSO Vulnerability CVE-2025-59718 and CVE-2025-59719 Leading to Full System Compromise - Truesec
Hjalmar Desmond · 2026-06-15 · via Truesec

Earlier this year, Truesec CSIRT responded to multiple incidents related to the two FortiCloud single-sign-on (SSO) vulnerabilities from December 2025 (tracked as CVE-2025-59718 and CVE-2025-59719).  In this blog post, we share our insights into threat actors’ activities and methods for compromising an environment.

Other incident responders have already shared insights about threat actor activities within the network once a device has been compromised; for instance, SentinelOne has done a great job explaining threat actor movements within the environment. In this blog post, we will focus on the FortiGate device itself, the types of information a threat actor can extract from it, and how they use that information. In an upcoming follow up, we will discuss how you can protect your environment and which types of configurations you should avoid on your network devices.

Attack Requirements

Besides having a working exploit, the following requirements need to be met for an exploitation attempt to be successful:

  1. FortiCloud SSO must be enabled on the vulnerable device (enabled automatically when a device is registered to the FortiCare service).
  2. The management interface of the vulnerable device must be exposed to the attacker.

Typically, an attacker would launch their attack from the internet, meaning that the management interface needs to be exposed to the internet. There are a few common administrative mistakes that result in unintentional exposure of the management interface of FortiGate devices, which was also the case in the incidents Truesec CSIRT responded to.

It is worth noting that the management interface does not need to be exposed to the internet for the exploit to work; it just needs to be reachable (IP connectivity) from where the attacker launches their attack. For instance, the exploitation is possible if an attacker is already inside an environment and has IP access to the management interface of a vulnerable FortiGate firewall. For example, the attack could be launched from any previously compromised employee device or by a contractor connecting an infected device to the network, etc.

Exploitation of the Vulnerabilities

In short, to successfully exploit a vulnerable device, the attacker needs a valid account in the FortiCloud portal. This account can be created and is not related to the attacked organization. The valid account is used to generate an authenticated session. The parameters from this authenticated session are then used to generate a malicious SAML assertion, which is then relayed to the vulnerable device. The device grants administrative access even though the account used is not authorized in the attacked organization.

The account used in the attack will be stored in the firewall configuration and is found in the system administrator section. Unknown administrative accounts, which are inherited from FortiCloud are indicators of compromise (see Figure 1).

Figure 1 – System administrator accounts created after exploitation of CVE-2025-59718 and CVE-2025-59719. 

What the Investigations Showed

In one of the investigations, there were enough logs from the compromised FortiGate firewall to understand, or at least shed some light on, the attacker’s actions and modus operandi. Some of the available logs in the firewall covered approximately two weeks in time, which was enough to analyze the later parts of the attack, in other words, just the time frame prior to the ransomware deployment.

The forensic evidence gathered from the rest of the environment (mainly Windows servers) showed that a threat actor had been in the environment at least a month before the period covered by the firewall logs. Other evidence, such as firewall configuration backups, suggested that the environment had been compromised even earlier.

In these types of incidents, when perimeter protection is the suspected initial access, quickly gathering all available logs is crucial. In FortiGate devices, if logs are not collected elsewhere, traffic logs are rotated fast. However, the device allocates a certain amount of space (in its memory, in this case) for the so-called “System Event Logs”. This is a much appreciated approach, as valuable logs are retained even though other features/functions quickly fill their allocated log space.

For this type of investigation, the most interesting firewall logs are:

  • The “General Event logs,” containing administrative access, configuration changes, etc.
  • The “VPN Event logs,” containing SSL Client VPN activities such as usernames, source IP addresses, authentication, assigned IP addresses, etc.

Analyzing these logs, the first sign of malicious activity was found in the “General Event logs”, which showed a malicious administrative login, followed by the configuration file download. Both activities were sourced from a suspicious external IP address. The account used for these two activities was an account named “infrastructure_admin”. The account was not recognized by the firewall administrator. Presumably, this account had been created by the threat actor at an earlier stage of the attack.

In the “VPN Event Logs” it was seen that shortly after the configuration file download, an SSL Client VPN connection was established using a valid (existing) account. The VPN connection originated from the same public IP address seen accessing the firewall’s management interface (see Figure 2).

Figure 2 – Timeline showing threat actor activities. The initial malicious logon, configuration download, and VPN connection are highlighted.

This procedure was repeated about 1.5 hours later, using a different source IP address. A couple of hours later, that same evening, the threat actor logged in to the firewall’s management interface again and made two configuration changes. First, they added all RFC1918 networks as permitted destinations to the policy rule applied to the SSL Client VPN address pool. Before this change, the address pool was only permitted to reach a small internal subnet. After that, they first disabled the already configured source NAT for the SSL Client VPN address pool and then reenabled it, as shown in Figure 3.

Figure 3 – Timeline showing that the threat actor altered the firewall configuration. 

Based on the Microsoft Windows logs from the servers, the threat actor had tampered with the source NAT function throughout the attack. This was most likely a way for the threat actor to affect their reach within the compromised environment.

After these configuration changes and onward, the threat actor initiated aggressive network scanning, exfiltrated data, and then deployed ransomware via the Domain Controller.

Interestingly, the threat actor managed to compromise the environment and deploy ransomware solely by using information found in the firewall configuration, i.e., valid VPN accounts and a domain admin account. This highlights the importance of hardening and monitoring such devices, as they could contain data that enables a rapid compromise of the entire infrastructure after the initial compromise of a single perimeter device.

The Threat Actor Modus Operandi

The exploitation of these vulnerabilities leads to unauthorized administrative access to an affected device. This gives a malicious actor full control over the compromised device, allowing them to essentially alter the configuration as they please. They can, for instance, add users with permissions to use the SSL Client VPN, change an existing user’s password, alter policy rules, remove MFA enforcement, etc.

Evidently, a threat actor gains full administrative control over the device when exploiting these vulnerabilities, but they will likely maintain a certain level of stealth in their approach. Some configuration changes can go by unnoticed, while others might quickly raise suspicion. For example, editing an existing firewall policy rule will likely go unnoticed, but changing the password of a local account (e.g., one used for SSL Client VPN) may raise suspicions if the account owner can no longer log in, potentially alerting administrators.

From this point of view, one of the most important leverage points a threat actor has is the ability to run offline password attacks against the encrypted credentials they find in a device’s configuration. If successful, those credentials will at least grant access to the Remote Access VPN service, allowing the threat actor to hide in plain sight (unlike adding a new user or changing the password of an existing one). This is good from an attacker’s perspective, but even better for them is the high probability that the cracked credentials will be reused within the environment, enabling easy lateral movement.

Many times, offline password attacks (though highly dependent on password complexity and the encryption algorithms used) require substantial computing capacity and may take a long time to succeed. The good news about these vulnerabilities, from a defender’s perspective, is that most of the affected devices run newer FortiOS versions. More recent FortiGate OS versions use a stronger encryption method for stored local accounts than older versions. There is, at least to Truesec’s knowledge, no publicly known method to decrypt passwords encrypted in newer FortiOS versions, meaning that password attacks will most likely take a brute-force type of approach and will depend on the complexity of the stolen passwords.

But why crack the passwords the new, hard way when you can do it the old, easy way?

Earlier FortiGate OS versions used a weak encryption method for storing encrypted passwords in the configuration file. There are known methods to crack the encrypted passwords for older FortiOS versions.

The trick threat actors (most likely) use to bypass strong password encryption is to simply pour the stolen configuration (with the strong encryption methods) into a firewall running a version that supports the newer encryption method, then downgrade the firewall to an old version with the weak encryption method. The downgrade procedure solves the compatibility issue and re-encrypts the passwords using the old, unsecure version. Now, in a matter of minutes, the threat actor has the clear-text versions of the passwords stored in the configuration, regardless of the password’s complexity.

Let’s see what that looks like.

In this example, our FortiGate is running FortiOS 7.4.4 (see Figure 4). This FortiOS version uses a strong encryption method.

Figure 4 – Command line output showing the running FortiOS version. 

A stolen configuration has been applied to the device. In the configuration, there is an LDAP user for AD integration (see Figure 5).

Figure 5 – Command line output showing the AD integration account and the encrypted version of the password. 

The configuration also contains a local user account used for SSL VPN Access (see Figure 6). 

Figure 6 – Command line output showing the local account and the encrypted version of the password. 

Now, we simply downgrade the firmware to a version (7.4.1) which runs the old unsecure password encryption method, as shown in Figure 7 and Figure 8.

Figure 7 – FortiGate firmware downgrade procedure 
Figure 8 – FortiGate firmware downgrade procedure. 

Note that the firmware version downgrade procedure requires the device to be registered and licensed.

We confirm that the downgrade was successful (see Figure 9).

Figure 9 – Command line output showing the running FortiOS version. 

Reviewing the local accounts, we can see that the encrypted passwords have changed; the passwords are now easily crackable, as shown in Figure 10 and Figure 11.

Figure 10 – Command line output showing the AD integration account and the encrypted version of the password. 
Figure 11 – Command line output showing the local account and the encrypted version of the password. 

By running the encrypted version of the passwords through a password decryptor such as FortiGate Password Decrypt, the plain text versions of the passwords can be found in seconds (see Figure 12).

Figure 12 – The encrypted and decrypted versions of the password for the two accounts found in the configuration.

Conclusion

In less than five minutes, we were able to take a stolen configuration, apply it to a firewall we control, and then decrypt the password for two different accounts, one of which permits access to the SSL Client VPN service and one which lets us query the Active Directory (as the AD integration account is de facto an AD account). And who knows, if we’re lucky, the AD account is a Domain Admin too.

Many consider network devices “black boxes,” and they are often treated as inherently safe or somehow exempt from cyberattacks. It is therefore not uncommon for them to fall outside of the wider resilience strategy. As the experience with SSO vulnerabilities shows, these devices are integral to an organization’s overall security posture. If not handled carefully, compromising a network device can lead to a full domain takeover.

In the upcoming blog post, we will discuss how to secure a network device and what approach you should follow to avoid compromise. We will also discuss how to minimize the impact of a compromise if it occurs.