Imagine waking up to find your firewall, the very gatekeeper of your network security, silently compromised. That's the grim reality facing many FortiGate firewall users right now, as attackers have found a way to sneak past Single Sign-On (SSO) protections and steal critical configuration data. This isn't just a minor inconvenience; it's a full-blown security crisis.
Security firm Arctic Wolf (https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-configuration-changes-fortinet-fortigate-devices-via-sso-accounts/) has raised the alarm about a surge in automated malicious activity targeting Fortinet's FortiGate appliances. Starting around January 15th, they've observed attackers leveraging compromised SSO accounts to tamper with firewall settings, create unauthorized administrator accounts, and, crucially, exfiltrate configuration files. Think of it like someone getting the keys to your digital kingdom and quietly making changes while you're asleep.
What makes this attack particularly insidious is the scope of the changes being made. The intruders aren't just probing for weaknesses; they're actively creating new administrative accounts with full privileges, tweaking VPN and firewall rules to their advantage, and downloading the entire firewall configuration. And this is the part most people miss... these configuration files often contain sensitive information, including passwords, API keys, and detailed internal network layouts. This effectively provides attackers with a blueprint of your network, making it incredibly easy for them to move laterally and cause further damage. "All of the above events took place within seconds of each other, indicating the possibility of automated activity," Arctic Wolf pointed out, suggesting a sophisticated and well-coordinated attack.
Now, here's where it gets controversial... While Arctic Wolf hasn't explicitly identified a brand-new vulnerability, the observed behavior strongly suggests exploitation of existing flaws, specifically, the authentication bypass bugs CVE-2025-59718 and CVE-2025-59719 (https://www.theregister.com/2025/12/09/december2025patch_tuesday/). These vulnerabilities, patched last December, allow attackers to circumvent SSO login checks using specially crafted SAML responses. The controversy stems from the fact that administrators are reporting intrusions even on firewalls that were supposedly patched, leading to suspicions of a patch bypass for CVE-2025-59718.
On Reddit (https://www.reddit.com/r/fortinet/comments/1qibdcb/possiblenewssoexploitcve202559718on749/), affected administrators are claiming that Fortinet has privately admitted that FortiOS 7.4.10 doesn't fully address the SSO authentication bypass, despite it being marked as fixed in FortiOS 7.4.9. This is a major concern, as it creates a false sense of security for organizations that believed they had already mitigated the risk.
- Palo Alto kit sees massive surge in malicious activity amid mystery traffic flood (https://www.theregister.com/2025/11/20/paloaltotraffic_flood/)
- Firewalls and VPNs are so complex now, they can actually make you less secure (https://www.theregister.com/2025/10/28/ciscocitrixvpn_ransomware/)
- Fortinet 'fesses up to second 0-day within a week (https://www.theregister.com/2025/11/19/fortinetconfirmssecondfortiweb0day/)
- Another bad week for SonicWall as SMA 1000 zero-day under active exploit (https://www.theregister.com/2025/12/18/sonicwallsma1000_0day/)
Fortinet is reportedly preparing new releases – FortiOS 7.4.11, 7.6.6, and 8.0.0 – to comprehensively address CVE-2025-59718. It's a race against time to get these patches deployed before more organizations fall victim.
Logs shared by affected customers reveal a consistent pattern: attackers logging in via SSO from the address cloud-init@mail.io, originating from IP address 104.28.244.114, before creating new admin users. These indicators match the activity observed by Arctic Wolf and similar attempts in December. This consistency suggests a coordinated campaign targeting FortiGate firewalls.
In light of this ongoing threat, Arctic Wolf strongly advises organizations to immediately audit their FortiGate administrator accounts, carefully review recent configuration changes for any unauthorized modifications, rotate all relevant credentials (including SSO passwords and API keys), and closely monitor SSO activity until Fortinet releases and deploys the next round of fixes. Consider implementing multi-factor authentication (MFA) for all administrator accounts as an added layer of security. Ultimately, a proactive approach is crucial to mitigating the risk posed by these sophisticated attacks. What steps are you taking to protect your FortiGate firewalls? Do you believe Fortinet has been transparent enough about the extent of this vulnerability? Share your thoughts and experiences in the comments below. ®
