FortiGate VPN compromise

Attackers are turning FortiGate virtual private network access into a foothold for deeper break-ins inside Windows networks. (huntress.com) Huntress said on April 20, 2026 that it investigated a live intrusion tied to likely compromised FortiGate Secure Sockets Layer virtual private network access, with BlueHammer, RedSun, and UnDefend tools staged on victim systems. The firm also found a suspicious tunneling binary it named BeigeBurrow. (huntress.com) In that case, the attackers dropped files into user-writable folders such as Pictures and Downloads, then ran reconnaissance commands including `whoami /priv`, `cmdkey /list`, and `net group`. Huntress said the privilege-escalation tools did not appear to succeed during the incident it analyzed. (huntress.com) A FortiGate Secure Sockets Layer virtual private network appliance is the internet-facing gate many companies use for remote logins. If an attacker gets through that gate with a stolen account or exploited device, they can start probing internal Windows machines that were never meant to face the public internet. (huntress.com) That pattern has shown up before in Fortinet investigations. Fortinet said on April 10, 2025 that threat actors had used known FortiGate vulnerabilities to gain access, then left behind a symbolic link in the Secure Sockets Layer virtual private network language-file path to keep read-only access to device files even after patches closed the original hole. (fortinet.com) Google-owned Mandiant has also documented how Fortinet compromises can become a first step rather than the end of an intrusion. In reports published in 2024 and 2023, Mandiant linked FortiOS Secure Sockets Layer virtual private network exploitation to follow-on persistence in VMware environments and access to guest virtual machines. (cloud.google.com, cloud.google.com) The three tools in the latest case are built to abuse Microsoft Defender, the antivirus built into Windows. Huntress said BlueHammer and RedSun can raise an attacker from a normal user account to SYSTEM, the highest local privilege level on a Windows machine. (huntress.com) Microsoft patched BlueHammer as CVE-2026-33825 in its April 2026 updates, but Huntress said RedSun and UnDefend were still unpatched as of April 20, 2026. That leaves defenders dealing with a chain in which the initial FortiGate access and the Windows privilege jump are separate problems that can compound each other. (huntress.com) The immediate defensive work is concentrated at the virtual private network layer and the systems behind it. Huntress told organizations to review virtual private network logs, investigate the file paths and binaries it identified, and treat any confirmed execution of the tooling as a high-priority incident. (huntress.com) Fortinet and Mandiant have both pushed the same broader lesson in earlier cases: patch internet-facing Fortinet gear quickly, check for signs of post-exploitation persistence, and assume a compromised edge device can be a bridge to the rest of the network. The newest Huntress case shows that the bridge is still being tested. (fortinet.com, cloud.google.com, huntress.com)