Fortinet Firewalls Hacked: Critical Configs Stolen

A concerning automated campaign is actively targeting Fortinet FortiGate firewalls, creating unauthorized administrator accounts and stealing critical configuration data. Cybersecurity researchers at Arctic Wolf report that the attacks began on January 15th, with threat actors exploiting an unknown vulnerability in the devices’ single sign-on (SSO) functionality. This exploitation allows attackers to swiftly create VPN-accessible accounts and export sensitive firewall configurations, a process completed in mere seconds and indicative of highly automated malicious activity.

The ongoing attacks bear a striking resemblance to a campaign documented in December 2024, which followed the disclosure of a critical authentication bypass flaw tracked as CVE-2025-59718. This vulnerability enables unauthenticated attackers to circumvent SSO authentication on vulnerable FortiGate firewalls by sending maliciously crafted SAML messages, but only when FortiCloud SSO features are active. While the exact initial access method in the new wave remains unconfirmed, the parallels are significant. Arctic Wolf has noted it is unclear whether the existing patch for CVE-2025-59718 and the related CVE-2025-59719 fully mitigates this latest threat activity.

These findings come amid a surge of reports from Fortinet customers who believe attackers are exploiting a patch bypass for the CVE-2025-59718 vulnerability, successfully compromising firewalls that were supposedly already secured. According to affected administrators, Fortinet has internally acknowledged that the most recent FortiOS version, 7.4.10, does not completely resolve the authentication bypass issue. This flaw was intended to be patched in early December with the release of FortiOS 7.4.9. In response, Fortinet is reportedly preparing to release new versions, FortiOS 7.4.11, 7.6.6, and 8.0.0, in the near future to comprehensively address the security shortcoming.

Evidence from compromised systems shows a consistent pattern. Logs shared by customers reveal attackers creating admin-level users following an SSO login from the suspicious identity `cloud-init@mail.io`, originating from the IP address 104.28.244.114. This indicator matches compromise data collected by Arctic Wolf during its analysis of both the current attacks and the exploitation observed in December.

For administrators needing to secure their systems immediately, the most effective temporary measure is to disable the FortiCloud SSO feature. This action can block the attack vector until a complete vendor patch is available. The setting can be turned off in the firewall’s web interface by navigating to System -> Settings and switching “Allow administrative login using FortiCloud SSO” to the Off position. Alternatively, the same result can be achieved via the command-line interface by executing the following commands: `config system global` `set admin-forticloud-sso-login disable` `end`

The scale of potential exposure is substantial. The internet security organization Shadowserver is currently monitoring close to 11,000 Fortinet devices that are publicly accessible online and have the vulnerable FortiCloud SSO feature enabled. Furthermore, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-59718 to its Known Exploited Vulnerabilities catalog, mandating that all federal civilian agencies apply patches within one week to safeguard their networks. Despite multiple requests for comment on these incidents, Fortinet has not yet provided an official public statement.

(Source: Bleeping Computer)