SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

New Wave of Attacks Targeting FortiGate Firewalls

Hackers bypass the FortiCloud SSO login authentication to create new accounts and change device configurations.
Firewall exploited

Threat actors are making configuration changes to FortiGate firewalls in a new wave of attacks reminiscent of a December 2025 campaign, security researchers warn.

Over the past week, Arctic Wolf observed automated attacks targeting FortiGate devices to create new user accounts, modify configurations for VPN access, and exfiltrate firewall data.

The activity, the cybersecurity firm notes, is similar to a month-old campaign targeting CVE-2025-59718 and CVE-2025-59719 (CVSS score of 9.8), two critical-severity authentication bypass vulnerabilities in Fortinet products.

The bugs, the vendor said in early December, allow attackers to bypass the FortiCloud SSO login authentication via crafted SAML response messages.

While the FortiCloud login feature is disabled by default, it is enabled when registering a new device to FortiCare from the device’s UI, unless the administrator specifically disables it.

Roughly a week later, Arctic Wolf warned that threat actors started exploiting the security defects against FortiGate firewalls three days after Fortinet announced patches for the two issues.

Advertisement. Scroll to continue reading.

Now, the cybersecurity company says it has observed a new wave of malicious SSO logins on FortiGate appliances resulting in malicious configuration changes.

The attacks originated from a small number of hosting providers and typically targeted the [email protected] account. Within seconds after login, the attackers exported device configurations, likely through automation.

According to Arctic Wolf, it is unclear whether the activity “is fully covered by the patch that initially addressed CVE-2025-59718 and CVE-2025-59719”.

Users on Reddit suggest that the December patches for the two Fortinet vulnerabilities were not complete, and that the vendor is working on fresh fixes for the bugs.

To prevent the exploitation of the two vulnerabilities, users are advised to disable the FortiCloud login feature by going to the settings menu and switching ‘Allow administrative login using FortiCloud SSO’ off.

Related: Fortinet Patches Critical Vulnerabilities in FortiFone, FortiSIEM

Related: Fortinet Warns of New Attacks Exploiting Old Vulnerability

Related: Fortinet Discloses Second Exploited FortiWeb Zero-Day in a Week

Related: Fortinet Confirms Active Exploitation of Critical FortiWeb Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: A Step-by-Step Approach to AI Governance
April 28, 2026

With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment.

Register

Virtual Event: Threat Detection and Incident Response Summit
May 20, 2026

Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization.

Register

People on the Move

Irving Bruckstein has been appointed Chief Executive Officer at Cyber A.I. Group.

Anti-ransomware platform Halcyon has named Kirstjen Nielsen and Chris Inglis as Strategic Advisors.

ThreatModeler has appointed Kevin Gallagher as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.