FortiGate firewalls hit by silent SSO intrusions and config theft

Steven

FortiGate firewalls hit by silent SSO intrusions and config theft

Summary

Security firm Arctic Wolf has observed automated attacks starting around 15 January that target Fortinet FortiGate appliances using compromised SSO accounts. Attackers are able to bypass SSO checks, create admin backdoors, change VPN and firewall rules, and export complete configuration files that often contain sensitive credentials and network details. The activity maps to two authentication-bypass CVEs (CVE-2025-59718 and CVE-2025-59719); patches were released in December, but administrators report intrusions on supposedly patched systems. Fortinet is preparing additional FortiOS releases (7.4.11, 7.6.6 and 8.0.0) to fully address the issue. Arctic Wolf urges immediate audits, credential rotation and close SSO monitoring.

Key Points

  • Attackers are exploiting SSO authentication bypass behaviour to gain admin access to FortiGate firewalls.
  • Intrusions are rapid and automated: new admin accounts, changed VPN/firewall rules, and full configuration exports occur within seconds.
  • Activity is associated with CVE-2025-59718 and CVE-2025-59719; December patches appear to be bypassed in the wild.
  • Fortinet is preparing further FortiOS updates (7.4.11, 7.6.6, 8.0.0) to remediate remaining issues.
  • Indicators include SSO logins from cloud-init@mail.io and IP address 104.28.244.114; affected organisations should audit admin accounts, review recent config changes, rotate credentials and monitor SSO logs closely.

Content summary

Arctic Wolf reported a wave of malicious, automated activity that quietly reconfigures FortiGate devices and exfiltrates their configuration files. The attackers create persistent admin users, alter VPN and firewall rules, and export device configs — actions that can facilitate further network compromise. While the behaviour aligns with exploitation of two authentication bypass CVEs fixed in December, administrators say FortiOS 7.4.10 (and earlier 7.4.9) does not always block the technique, and intrusions have been seen on systems thought to be patched.

Fortinet is said to be preparing new builds to fully mitigate CVE-2025-59718. Until then, Arctic Wolf stresses immediate operational steps: audit admin accounts, examine recent configuration changes for unauthorised exports, rotate credentials found in configs, and keep a tight watch on SSO authentication logs for unusual activity.

Context and relevance

This is important because modern networks rely heavily on SSO and centralised authentication. A lightweight SSO bypass that yields admin-level access and full configuration exports hands attackers a detailed blueprint of the environment. The incident underscores two broader trends: firewall complexity increasing attack surface, and the difficulty of completely remediating auth bypasses once they are weaponised. If you manage FortiGate appliances or depend on SSO for network device access, this is directly relevant to your defensive posture and patching strategy.

Why should I read this?

Short version: if you run FortiGates, don’t ignore this. Patches were supposed to fix the flaw, but attackers are still getting in and quietly stealing configs — that’s your keys and network map walking out the door. Read the details so you know what logs to check, which indicators to hunt for and which immediate steps to take to limit damage.

Source

Source: https://www.theregister.com/2026/01/22/fortigate_firewalls_hit_by_silent/