Fortinet FortiGate Devices Breached – Firewall Configs Stolen

January 23, 2026 Faeem BLOGS 0

Security researchers have confirmed a new wave of automated attacks against Fortinet FortiGate firewalls, with adversaries exploiting the FortiCloud SSO feature to create rogue accounts and exfiltrate firewall configuration data within seconds.

Key Details

  • Start of campaign: January 15, 2026.
  • Attack vector: Exploiting an unknown vulnerability in FortiGate’s SSO feature.
  • Activity observed:
    • Creation of VPN-enabled rogue accounts.
    • Immediate export of firewall configuration files.
    • Highly automated – login, exfiltration, and persistence occur within seconds.
  • Similarity to past incidents: Mirrors December 2025 attacks tied to CVE-2025-59718 and CVE-2025-59719 (critical authentication bypass flaws via malicious SAML messages).

Patch Status

  • FortiOS 7.4.9 was supposed to fix CVE-2025-59718/59719.
  • FortiOS 7.4.10 reportedly still vulnerable (patch bypass suspected).
  • Upcoming fixes: Fortinet is preparing 7.4.11, 7.6.6, and 8.0.0 releases to fully address the flaw.
  • CISA action: Added CVE-2025-59718 to its Known Exploited Vulnerabilities catalog (Dec 16, 2025), mandating federal agencies to patch.

Indicators of Compromise (IOCs)

  • Malicious accounts: cloud-init@mail.io
  • Source IP: 104.28.244.114 (linked to SSO logins and config theft)
  • Matches IOCs from Arctic Wolf’s December analysis.

Mitigation Guidance

  • Disable FortiCloud SSO (temporary workaround):
    • GUI: System → Settings → Allow administrative login using FortiCloud SSO → Off
    • CLI:Code
      • config system global
      • set admin-forticloud-sso-login disable
      • end
  • Patch immediately once FortiOS 7.4.11, 7.6.6, or 8.0.0 are released.
  • Restrict management interfaces to trusted internal networks.
  • Monitor logs for suspicious SSO logins and rogue account creation.
  • Credential hygiene: Reset admin credentials; assume compromised hashes may be cracked offline.

Takeaway

This campaign highlights how attackers are exploiting authentication bypass flaws in FortiGate firewalls to automate theft of sensitive configs and establish persistence. With patch bypasses suspected, organizations must disable FortiCloud SSO immediately and prepare to deploy the upcoming FortiOS fixes.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.