**Hackers Breach Fortinet FortiGate Devices, Steal Firewall Configs**

A wave of automated attacks has been targeting Fortinet's FortiGate devices, creating rogue accounts and stealing firewall configuration data. The campaign, which started last week on January 15, exploits an unknown vulnerability in the devices' single sign-on (SSO) feature to create admin users with VPN access.

According to cybersecurity company Arctic Wolf, who reported these incidents on Wednesday, the attackers are using a similar method as previously seen in December following the disclosure of a critical authentication bypass vulnerability (CVE-2025-59718) in Fortinet products. This flaw allows unauthenticated attackers to bypass SSO authentication on vulnerable FortiGate firewalls via maliciously crafted SAML messages when FortiCloud SSO features are enabled.

Arctic Wolf notes that while the parameters of initial access details have not been fully confirmed, the current campaign bears similarity to a campaign described by the company in December 2025. It is unclear whether the latest threat activity observed is fully covered by the patch that initially addressed CVE-2025-59718 and CVE-2025-59719.

Arctic Wolf's advisory follows a wave of reports from Fortinet customers about attackers likely exploiting a patch bypass for the CVE-2025-59718 vulnerability to hack patched firewalls. Affected admins said that Fortinet reportedly confirmed that the latest FortiOS version (7.4.10) doesn't fully address the authentication bypass flaw, which should have already been patched since early December with the release of FortiOS 7.4.9.

Fortinet is allegedly planning to release FortiOS 7.4.11, 7.6.6, and 8.0.0 over the coming days to fully address the CVE-2025-59718 security flaw. Affected Fortinet customers also shared logs showing that the attackers created admin users after an SSO login from cloud-init@mail.io on IP address 104.28.244.114, which matches indicators of compromise detected by Arctic Wolf while analyzing ongoing FortiGate attacks and previous exploitation.

**Disable FortiCloud SSO to Block Attacks**

Until Fortinet fully patches FortiOS against these ongoing attacks, admins can secure their firewalls by temporarily turning off the vulnerable FortiCloud login feature (if enabled) by going to System -> Settings and switching "Allow administrative login using FortiCloud SSO" to Off. Another option is to run the following commands from the command-line interface:

config system settings set allow-forticloud-sso disable end

Internet security watchdog Shadowserver is currently tracking nearly 11,000 Fortinet devices that are exposed online and have FortiCloud SSO enabled. The Cybersecurity and Infrastructure Security Agency (CISA) has also added CVE-2025-59718 to its catalog of flaws exploited in attacks on December 16 and has ordered federal agencies to patch within a week.

BleepingComputer reached out to Fortinet multiple times this week with questions about these FortiGate attacks, but the company has yet to reply.