Cybercriminals are actively exploiting vulnerabilities in Fortinet FortiGate devices, particularly targeting the Single Sign-On (SSO) feature to gain unauthorized access and exfiltrate sensitive firewall configuration data. This activity has been observed since mid-January 2026 and mirrors similar attacks documented in December 2025.
The attacks involve attackers sending specially crafted Security Assertion Markup Language (SAML) messages to bypass SSO authentication, allowing them to log in as administrative accounts on vulnerable FortiGate appliances. Once inside, they create generic accounts for persistence, grant VPN access to these accounts, and exfiltrate firewall configurations. These configurations can reveal network topology, security rules, VPN settings, and authentication mechanisms, enabling attackers to identify exposed services, bypass controls, and maintain access through VPNs or trusted connections. (arcticwolf.com)
Fortinet had previously addressed this issue with patches released in December 2025 for vulnerabilities CVE-2025-59718 and CVE-2025-59719. However, reports indicate that these patches did not fully mitigate the vulnerabilities, as attacks continue to occur on devices running FortiOS versions 7.4.9 and above. In response, Fortinet is working on additional releases, including versions 7.4.11, 7.6.6, and 8.0.0, which are expected to fully resolve the issue. (helpnetsecurity.com)
Security researchers recommend that organizations disable the FortiCloud SSO login feature as a temporary measure until the new patches are available. This can be achieved by running the following commands:
``` config system global set admin-forticloud-sso-login disable end ```
Additionally, monitoring for the creation of unauthorized administrator accounts is advised to detect potential compromises. (esentire.com)
The ongoing exploitation of these vulnerabilities underscores the critical importance of promptly applying security patches and maintaining vigilant monitoring practices to safeguard network infrastructure.
Fortinet FortiGate Devices Targeted in Automated Attacks:
- Arctic Wolf Observes Malicious Configuration Changes On Fortinet FortiGate Devices via SSO Accounts | Arctic Wolf, Published on Wednesday, January 21
- Fully patched FortiGate firewalls are getting compromised via CVE-2025-59718? - Help Net Security, Published on Wednesday, January 21
- Previously Patched Fortinet Vulnerability (CVE-2025-59718) Exploited in the Wild | eSentire