Fortinet FortiGate devices are being targeted in automated attacks that create rogue accounts and steal firewall configuration data, according to cybersecurity company Arctic Wolf.
The campaign started last week, on January 15, with the attackers exploiting an unknown vulnerability in the devices' single sign-on (SSO) feature to create accounts with VPN access and exporting firewall configurations within seconds, indicating automated activity.
Arctic Wolf, which reported these incidents on Wednesday, says the attacks are very similar to incidents it documented in December following the disclosure of a critical authentication bypass vulnerability (CVE-2025-59718) in Fortinet products.
That flaw allows unauthenticated attackers to bypass SSO authentication on vulnerable FortiGate firewalls via maliciously crafted SAML messages when FortiCloud SSO features are enabled.
"While the parameters of initial access details have not been fully confirmed, the current campaign bears similarity to a campaign described by Arctic Wolf in December 2025," Arctic Wolf said. "It is not known at this time whether the latest threat activity observed is fully covered by the patch that initially addressed CVE-2025-59718 and CVE-2025-59719."
Arctic Wolf's advisory follows a wave of reports from Fortinet customers about attackers likely exploiting a patch bypass for the CVE-2025-59718 vulnerability to hack patched firewalls.
Affected admins said that Fortinet reportedly confirmed that the latest FortiOS version (7.4.10) doesn't fully address the authentication bypass flaw, which should have already been patched since early December with the release of FortiOS 7.4.9.
Fortinet is also allegedly planning to release FortiOS 7.4.11, 7.6.6, and 8.0.0 over the coming days to fully address the CVE-2025-59718 security flaw.
Affected Fortinet customers also shared logs showing that the attackers created admin users after an SSO login from [email protected] on IP address 104.28.244.114, which matches indicators of compromise detected by Arctic Wolf while analyzing ongoing FortiGate attacks and previous exploitation the cybersecurity firm observed in December.
Disable FortiCloud SSO to block attacks
... continue reading