A wave of automated attacks is targeting Fortinet FortiGate devices by exploiting a vulnerability in the single sign-on (SSO) feature to create unauthorized administrative accounts and export firewall configurations. Security firm Arctic Wolf reports that the campaign, which began on January 15, involves attackers gaining VPN access and stealing configuration data within seconds, indicating highly automated exploitation. The activity closely resembles previous attacks linked to a critical authentication bypass flaw, CVE-2025-59718, disclosed in December.
While Fortinet released patches for CVE-2025-59718 in early December, evidence suggests the fix may be incomplete, with reports that even the latest FortiOS version (7.4.10) does not fully address the vulnerability. The company is reportedly preparing additional updates (7.4.11, 7.6.6, and 8.0.0) to fully resolve the issue. In the meantime, administrators are advised to disable the vulnerable FortiCloud SSO feature as a temporary mitigation.
According to Shadowserver, nearly 11,000 Fortinet devices with FortiCloud SSO enabled are currently exposed online, highlighting the widespread risk. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has already mandated federal agencies to patch the flaw. Until a comprehensive fix is available, disabling the affected SSO feature remains the primary defense against these credential-stealing attacks.
Read more...