FortiGate Edge Intrusions | Stolen Service Accounts Lead to Rogue Workstations and Deep AD Compromise

SentinelOne DFIR documents multiple incidents (late 2025–early 2026) in which attackers exploited FortiGate appliances—via CVE-2025-59718, CVE-2025-59719, CVE-2026-24858 and credential-based logins—to download configuration files, recover service account credentials, create backdoor administrative accounts, join rogue workstations to Active Directory, deploy abused RMM tools (Pulseway, MeshAgent), and exfiltrate NTDS.dit; the report provides IOCs (IPs, domains, URLs, account and host names), SIEM/logging recommendations, and detailed forensic guidance for defenders.