top of page
perceptive_background_267k.jpg

Hackers breach Fortinet FortiGate devices, steal firewall configs

Published:

22 januari 2026 om 11:49:12

Alert date:

22 januari 2026 om 12:00:48

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Network Infrastructure, Identity & Access, Data Breach & Exfiltration

Cybersecurity company Arctic Wolf reports that Fortinet FortiGate devices are being targeted in automated attacks where hackers create rogue accounts and steal firewall configuration data. The attacks appear to be part of a coordinated campaign targeting network infrastructure devices. The breach of firewall configurations poses significant security risks as it can expose network topology and security policies to attackers.

Technical details

Automated attacks targeting Fortinet FortiGate devices exploiting an unknown vulnerability in the single sign-on (SSO) feature. Attackers create rogue accounts with VPN access and export firewall configuration data within seconds. The attack exploits authentication bypass vulnerability in FortiCloud SSO features using maliciously crafted SAML messages. Campaign started January 15, similar to December incidents. Latest FortiOS version 7.4.10 doesn't fully address the authentication bypass flaw. Attackers create admin users after SSO login from cloud-init@mail.io.

Mitigation steps:

Disable FortiCloud SSO feature temporarily by going to System -> Settings and switching 'Allow administrative login using FortiCloud SSO' to Off. Alternatively, run CLI commands: 'config system global', 'set admin-forticloud-sso-login disable', 'end'. Update to upcoming FortiOS versions 7.4.11, 7.6.6, and 8.0.0 when available to fully address CVE-2025-59718.

Affected products:

Fortinet FortiGate devices
FortiOS 7.4.9
FortiOS 7.4.10
FortiOS 7.4.11 (upcoming)
FortiOS 7.6.6 (upcoming)
FortiOS 8.0.0 (upcoming)
FortiCloud SSO

Related links:

https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-configuration-changes-fortinet-fortigate-devices-via-sso-accounts/
https://www.bleepingcomputer.com/news/security/fortinet-admins-report-patched-fortigate-firewalls-getting-hacked/
https://www.reddit.com/r/fortinet/comments/1qibdcb/possible_new_sso_exploit_cve202559718_on_749/
https://www.bleepingcomputer.com/news/security/fortinet-warns-of-critical-forticloud-sso-login-auth-bypass-flaws/
https://www.bleepingcomputer.com/news/security/hackers-exploit-newly-patched-fortinet-auth-bypass-flaws/
https://dashboard.shadowserver.org/statistics/iot-devices/time-series/?date_range=7&vendor=fortinet&model=forticloud+sso&dataset=count&limit=100&group_by=geo&stacking=stacked
https://www.cisa.gov/news-events/alerts/2025/12/16/cisa-adds-one-known-exploited-vulnerability-catalog
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-59718

Related CVE's:

Related threat actors:

IOC's:

cloud-init@mail.io, 104.28.244.114

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page