FortiGate Firewalls Under Active Attack Despite Patches: Silent SSO Exploits and Config Theft

Security researchers are warning of a coordinated attack campaign against Fortinet's FortiGate firewalls that is exploiting authentication bypass vulnerabilities to silently compromise devices, reconfigure settings, and exfiltrate sensitive configuration data. The attacks, which began in mid-January 2026, are particularly concerning because they are occurring on systems that administrators believed were already secured.

The Silent Intrusion Mechanism

According to a security advisory from Arctic Wolf, attackers are leveraging compromised single sign-on (SSO) accounts to bypass authentication checks on FortiGate appliances. The security firm observed a wave of automated malicious activity starting January 15, where intruders successfully logged into firewalls using SSO credentials, then immediately executed a series of disruptive actions:

• Creating new administrative user accounts
• Modifying VPN and firewall rules to create backdoors
• Exporting the complete device configuration

All of these actions occurred within seconds of each other, indicating automated tooling is being used. The stolen configuration files often contain sensitive credentials, internal network topology details, and other critical security information, effectively providing attackers with a roadmap for subsequent attacks.

The Root Cause: Authentication Bypass Vulnerabilities

The attacks stem from two critical authentication bypass vulnerabilities that were first disclosed in late 2025:

• CVE-2025-59718: An SSO authentication bypass vulnerability
• CVE-2025-59719: A related authentication bypass issue

Both vulnerabilities allow attackers to bypass SSO login checks by sending specially crafted Security Assertion Markup Language (SAML) responses. Fortinet shipped patches for these vulnerabilities in early December 2025 with the release of FortiOS 7.4.9.

However, the current wave of attacks suggests the patches may not have fully remediated the issue. Affected administrators report that FortiOS 7.4.10, which was supposed to address CVE-2025-59718, still contains exploitable weaknesses. On Reddit and other administrator forums, users have shared logs showing successful intrusions on fully updated systems.

Evidence of Ongoing Exploitation

Logs shared by affected customers reveal a consistent attack pattern. Attackers are logging in via SSO from the address [email protected], originating from IP address 104.28.244.114. This matches the same indicators observed by Arctic Wolf during their analysis of the current FortiGate attacks, as well as similar exploitation attempts documented in December 2025.

The persistence of these attacks despite patching efforts suggests either:

1. The original patches were incomplete
2. Attackers discovered a patch bypass technique
3. There may be additional, undiscovered vulnerabilities

Fortinet has privately acknowledged to some customers that FortiOS 7.4.10 does not fully remediate CVE-2025-59718, despite the issue being officially marked as patched. The company is now preparing additional releases—FortiOS 7.4.11, 7.6.6, and 8.0.0—to address the remaining vulnerabilities.

Immediate Impact and Risk Assessment

The attacks pose significant risks to affected organizations:

Network Exposure: Stolen configuration files provide attackers with detailed maps of internal networks, including subnet information, routing tables, and access control lists.

Credential Compromise: Configuration files often contain service account credentials, VPN pre-shared keys, and other authentication secrets that can be used for lateral movement.

Persistence: New administrative accounts created by attackers provide persistent access even if original credentials are rotated.

Data Exfiltration: Modified firewall rules can be used to establish data exfiltration channels or create command-and-control infrastructure.

Recommended Mitigation Strategies

Arctic Wolf and other security experts recommend the following immediate actions for organizations using FortiGate firewalls:

1. Account Auditing

• Review all administrative accounts on FortiGate devices
• Look for newly created accounts, especially those created in January 2026
• Check for accounts with unusual names or those created outside normal change windows

2. Configuration Review

• Compare current configurations against known-good baselines
• Look for unauthorized changes to VPN settings, firewall rules, and administrative access controls
• Pay particular attention to rules that might allow external access to internal resources

3. Credential Rotation

• Immediately rotate all credentials stored in or referenced by FortiGate configurations
• This includes administrative passwords, VPN pre-shared keys, RADIUS/TACACS+ secrets, and any service account credentials
• Consider implementing certificate-based authentication where possible

4. SSO Activity Monitoring

• Monitor SSO authentication logs for suspicious activity
• Look for logins from unusual IP addresses or at unusual times
• Pay attention to the [email protected] email address and IP address 104.28.244.114

5. Network Segmentation

• Implement network segmentation to limit the potential impact of a compromised firewall
• Ensure that firewall management interfaces are not accessible from untrusted networks
• Consider implementing out-of-band management where feasible

Regulatory and Compliance Implications

For organizations subject to data protection regulations, these attacks have significant compliance implications:

GDPR (General Data Protection Regulation): If personal data is accessed or exfiltrated, organizations may face breach notification requirements within 72 hours and potential fines up to 4% of global annual turnover.

CCPA (California Consumer Privacy Act): California residents' personal information accessed through these attacks could trigger breach notification requirements and statutory damages.

Industry-Specific Regulations: Organizations in healthcare (HIPAA), finance (GLBA, PCI DSS), or critical infrastructure sectors may face additional reporting requirements and penalties.

The Broader Pattern: Firewall Complexity as a Security Risk

This incident highlights a growing concern in cybersecurity: the increasing complexity of network security appliances may actually be creating new attack surfaces. Modern firewalls and VPNs now incorporate:

• Multiple authentication methods (local, RADIUS, TACACS+, SAML, OAuth)
• Complex configuration management interfaces
• Integration with cloud services and identity providers
• Software update mechanisms

Each of these components represents potential attack vectors. The FortiGate incident demonstrates how a vulnerability in one component (SSO authentication) can lead to complete device compromise.

Looking Ahead: What Organizations Should Expect

Fortinet has indicated that additional patches will be released in the coming days. However, organizations should prepare for the possibility that:

1. Patch deployment takes time: Even when patches are available, testing and deployment in production environments requires careful planning.

2. Attackers may adapt: If the current vulnerabilities are fully patched, attackers may shift to other techniques or target different components.

3. Forensic analysis is complex: Determining the full scope of a compromise requires detailed log analysis and may reveal additional indicators of compromise.

Conclusion

The FortiGate attack campaign represents a significant threat to organizations relying on these devices for network security. The combination of automated exploitation, silent reconfiguration, and data theft creates a serious risk of network compromise and data breach.

Organizations using FortiGate firewalls should immediately implement the recommended mitigation strategies while awaiting official patches from Fortinet. The incident also serves as a reminder that patching alone is not sufficient—continuous monitoring, configuration management, and defense-in-depth strategies are essential components of a robust security posture.

For the latest updates on this situation, organizations should monitor Fortinet's official security advisories and consider reaching out to their Fortinet support representatives for specific guidance on their deployments.

Security researchers and affected administrators are encouraged to share indicators of compromise and additional details through appropriate channels to help the broader community respond to this threat.