FortiGate firewalls hit by silent SSO intrusions and config theft

FortiGate firewalls are getting quietly reconfigured and stripped down by miscreants who've figured out how to sidestep SSO protections and grab sensitive settings right out of the box. That's according to a warning from security shop Arctic Wolf, which says it has spotted a wave of automated malicious activity starting January 15 that's targeting Fortinet's FortiGate appliances via compromised SSO accounts, flipping firewall settings, creating backdoor admin users, and exfiltrating configuration files. Arctic Wolf says that the attackers aren't just poking around: intruders create new admin accounts, adjust VPN and firewall rules, and export the full configuration. Those configs often include sensitive credentials and internal network details, effectively handing attackers a map of what to hit next. "All of the above events took place within seconds of each other, indicating the possibility of automated activity," Arctic Wolf said. What Arctic Wolf hasn't confirmed is a new vulnerability. Instead, the behavior lines up uncomfortably well with exploitation. This activity stemmed from two critical authentication bypass bugs (CVE-2025-59718 and CVE-2025-59719) that let attackers bypass SSO login checks via specially crafted SAML responses. Patches for those were shipped last December, but Arctic Wolf's advisory follows a growing wave of reports from administrators who believe attackers are exploiting a patch bypass for CVE-2025-59718 to compromise firewalls that were already thought to be fixed. On Reddit, affected admins say Fortinet has privately acknowledged that FortiOS 7.4.10 does not fully remediate the SSO authentication bypass, despite the issue being flagged as patched with the release of FortiOS 7.4.9 in early December. Several customers report seeing intrusions on fully updated systems. Palo Alto kit sees massive surge in malicious activity amid mystery traffic flood Firewalls and VPNs are so complex now, they can actually make you less secure Fortinet 'fesses up to second 0-day within a week Another bad week for SonicWall as SMA 1000 zero-day under active exploit Fortinet is now said to be preparing additional releases – FortiOS 7.4.11, 7.6.6, and 8.0.0 – over the coming days to fully address CVE-2025-59718. Logs shared by affected customers show attackers logging in via SSO from the address cloud-init@mail.io, originating from IP address 104.28.244.114, before creating new admin users. Those indicators match the same activity that Arctic Wolf observed while analyzing the current FortiGate attacks, as well as similar exploitation attempts back in December. Arctic Wolf is urging organizations to audit FortiGate admin accounts, review recent configuration changes, rotate credentials, and keep a close eye on SSO activity until Fortinet's next round of fixes lands. ®