Listen to this Post
Fortinet’s FortiGate devices are once again in the crosshairs of cybercriminals. Over the past week, attackers have launched automated campaigns targeting vulnerabilities in FortiGate firewalls, creating rogue accounts and exfiltrating sensitive firewall configuration data in mere seconds. Cybersecurity firm Arctic Wolf first reported this surge on January 15, highlighting the speed and precision of these attacks—pointing strongly to automation rather than manual intrusion.
The exploitation revolves around an unknown flaw in the devices’ single sign-on (SSO) feature. By leveraging this vulnerability, attackers can create accounts with VPN access and immediately export critical firewall configurations. Arctic Wolf notes that this latest campaign mirrors incidents from December, which followed the disclosure of a serious authentication bypass vulnerability, CVE-2025-59718, affecting Fortinet products. That flaw allowed unauthenticated attackers to bypass SSO authentication via malicious SAML messages when FortiCloud SSO features were enabled.
While Arctic Wolf hasn’t fully confirmed the exact method of access, similarities with the December campaign suggest attackers are exploiting either unpatched or partially patched systems. Reports from Fortinet customers indicate that even firewalls updated to FortiOS 7.4.10 may remain vulnerable, as the patch for CVE-2025-59718 released in FortiOS 7.4.9 did not fully neutralize the threat. Fortinet is reportedly preparing FortiOS updates—7.4.11, 7.6.6, and 8.0.0—to finally address the authentication bypass issue.
Logs from affected customers confirm that attackers created admin accounts after SSO logins originating from [email protected]
with IP 104.28.244.114, matching Arctic Wolf’s indicators of compromise from previous attacks. To mitigate immediate risk, admins are advised to temporarily disable FortiCloud SSO via System → Settings or using CLI commands:
pgsql
Copy code
config system global
set admin-forticloud-sso-login disable
end
Internet watchdog Shadowserver reports nearly 11,000 Fortinet devices remain exposed online with FortiCloud SSO enabled. CISA has also added CVE-2025-59718 to its catalog of actively exploited vulnerabilities, instructing federal agencies to patch within a week. Meanwhile, Fortinet has not responded publicly to inquiries from BleepingComputer regarding these ongoing attacks.
What Undercode Say:
The recurring FortiGate SSO exploitation highlights a critical pattern in modern firewall attacks: threat actors are increasingly targeting cloud-integrated administrative features rather than traditional network ports. FortiGate’s SSO integration with FortiCloud, while designed to streamline admin access, has inadvertently expanded the attack surface. The automation of these intrusions demonstrates a sophisticated adversary model—attacks occur within seconds, leaving little time for detection or response.
The partial patch scenario underscores a common challenge in cybersecurity: vendors may release fixes that don’t fully address the threat vector, either due to complex system dependencies or unforeseen bypass techniques. Fortinet’s staged release plan suggests the company is aware of the gap but may struggle to keep pace with attacker innovation. Organizations that rely heavily on FortiGate firewalls, particularly those in critical infrastructure, cannot wait for full patches. Temporary mitigation by disabling FortiCloud SSO is effective but may disrupt legitimate administrative workflows, creating a tension between security and operational continuity.
Shadowserver’s report of 11,000 exposed devices illustrates the scale of potential impact. Attackers could leverage these vulnerabilities not only to steal firewall configurations but also to create persistent admin backdoors, potentially moving laterally within networks or exfiltrating sensitive enterprise data. In this context, monitoring SSO logs for anomalies, enforcing multi-factor authentication, and segmenting administrative access are crucial defenses.
From a strategic perspective, this incident is a stark reminder that cloud-integrated features in network devices, while convenient, can become high-value targets. Security teams must balance automation and convenience with robust risk assessments. Moreover, the rapid re-emergence of attacks targeting previously disclosed vulnerabilities highlights the persistent gap between patch availability and effective deployment. Organizations must accelerate patch management and implement compensating controls proactively.
Fact Checker Results:
✅ Arctic Wolf confirmed automated attacks on FortiGate devices exploiting SSO vulnerabilities.
✅ Nearly 11,000 FortiGate devices with FortiCloud SSO enabled are publicly exposed, per Shadowserver.
✅ CISA added CVE-2025-59718 to actively exploited vulnerabilities, requiring urgent patching.
Prediction:
⚠️ Expect continued automated attacks on FortiGate SSO systems until Fortinet releases fully patched versions.
⚠️ Organizations that delay disabling FortiCloud SSO could see a spike in compromised admin accounts.
⚠️ Attackers may expand targeting to other cloud-integrated firewall features, making proactive monitoring and segmentation essential.
If you want, I can also create a visual diagram showing how the FortiGate SSO exploit works and how to mitigate it—this can help IT teams quickly grasp the risk and defenses. Do you want me to do that next?
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.linkedin.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
