Nightmare-Eclipse Tools Exploit FortiGate VPNs in Live Attacks

Nightmare-Eclipse Tools Exploit FortiGate VPNs in Live Attacks

First seen 22 Apr 2026, 19:16 UTC CybersecuritynewsSocprime 80% similarity 74.0

Article Content

Browse articles
ThreatCluster

A recent intrusion campaign utilized the Nightmare-Eclipse privilege escalation tools, specifically BlueHammer, RedSun, and UnDefend, following unauthorized access through compromised FortiGate SSL VPN credentials. This incident marks the first confirmed deployment of these tools in a live enterprise environment, impacting organizations globally. Attackers gained access by exploiting compromised VPN sessions traced back to IP addresses in Russia, Singapore, and Switzerland. They executed reconnaissance commands and deployed a custom Go-based tunneling utility named BeigeBurrow to maintain remote access. Malicious binaries were found in user-writable folders, and various commands were executed to enumerate privileges and credentials. Security teams are advised to monitor for specific binary names and suspicious logins, and to apply patches for CVE-2026-33825, which was publicly disclosed on April 14, 2026. Immediate action is recommended to isolate affected endpoints and reset compromised credentials.

Key Points: • Nightmare-Eclipse tools exploited FortiGate SSL VPNs in a live attack. • Attackers used BlueHammer, RedSun, and UnDefend for privilege escalation. • CVE-2026-33825 was publicly disclosed on April 14, 2026, and is critical for remediation.

ThreatCluster AI

Timeline

2026-04-14
CVE-2026-33825 published
2026-04-18
First public PoC for CVE-2026-33825 released
2026-04-21
Cybersecuritynews reports on Nightmare-Eclipse attacks
2026-04-22
Socprime reports on live intrusion using Nightmare-Eclipse tools

Community

Browse all →