Hackers breach Fortinet FortiGate devices, steal firewall configs

Recorded: Jan. 22, 2026, 1:03 p.m.

Original

News

Featured
Latest

Fake Lastpass emails pose as password vault backup alerts

Microsoft shares workaround for Outlook freezes after Windows update

Fortinet admins report patched FortiGate firewalls getting hacked

Hackers exploit security testing apps to breach Fortune 500 firms

Hackers exploit 29 zero-days on second day of Pwn2Own Automotive

A lifetime subscription to the Mondly language app is now only $8

Hackers breach Fortinet FortiGate devices, steal firewall configs

Zendesk ticket systems hijacked in massive global spam wave

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityHackers breach Fortinet FortiGate devices, steal firewall configs

Hackers breach Fortinet FortiGate devices, steal firewall configs

By Sergiu Gatlan

January 22, 2026
06:49 AM
0

Fortinet FortiGate devices are being targeted in automated attacks that create rogue accounts and steal firewall configuration data, according to cybersecurity company Arctic Wolf.
The campaign started last week, on January 15, with the attackers exploiting an unknown vulnerability in the devices' single sign-on (SSO) feature to create accounts with VPN access and exporting firewall configurations within seconds, indicating automated activity.
Arctic Wolf, which reported these incidents on Wednesday, says the attacks are very similar to incidents it documented in December following the disclosure of a critical authentication bypass vulnerability (CVE-2025-59718) in Fortinet products.

That flaw allows unauthenticated attackers to bypass SSO authentication on vulnerable FortiGate firewalls via maliciously crafted SAML messages when FortiCloud SSO features are enabled.
"While the parameters of initial access details have not been fully confirmed, the current campaign bears similarity to a campaign described by Arctic Wolf in December 2025," Arctic Wolf said. "It is not known at this time whether the latest threat activity observed is fully covered by the patch that initially addressed CVE-2025-59718 and CVE-2025-59719."
Arctic Wolf's advisory follows a wave of reports from Fortinet customers about attackers likely exploiting a patch bypass for the CVE-2025-59718 vulnerability to hack patched firewalls.
Affected admins said that Fortinet reportedly confirmed that the latest FortiOS version (7.4.10) doesn't fully address the authentication bypass flaw, which should have already been patched since early December with the release of FortiOS 7.4.9.
Fortinet is also allegedly planning to release FortiOS 7.4.11, 7.6.6, and 8.0.0 over the coming days to fully address the CVE-2025-59718 security flaw.
Affected Fortinet customers also shared logs showing that the attackers created admin users after an SSO login from cloud-init@mail.io on IP address 104.28.244.114, which matches indicators of compromise detected by Arctic Wolf while analyzing ongoing FortiGate attacks and previous exploitation the cybersecurity firm observed in December.
Disable FortiCloud SSO to block attacks
Until Fortinet fully patches FortiOS against these ongoing attacks, admins can secure their firewalls by temporarily turning off the vulnerable FortiCloud login feature (if enabled) by going to System -> Settings and switching "Allow administrative login using FortiCloud SSO" to Off.
Another option is to run the following commands from the command-line interface:

config system global
set admin-forticloud-sso-login disable
end
Internet security watchdog Shadowserver is currently tracking nearly 11,000 Fortinet devices that are exposed online and have FortiCloud SSO enabled.
CISA has also added CVE-2025-59718 to its catalog of flaws exploited in attacks on December 16 and has ordered federal agencies to patch within a week.
BleepingComputer reached out to Fortinet multiple times this week with questions about these FortiGate attacks, but the company has yet to reply.

The 2026 CISO Budget Benchmark
It's budget season! Over 300 CISOs and security leaders have shared how they're planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026.
Learn how top leaders are turning investment into measurable impact.
Download Now

Related Articles:
Over 10K Fortinet firewalls exposed to actively exploited 2FA bypassFortinet warns of 5-year-old FortiOS 2FA bypass still exploited in attacksFortinet admins report patched FortiGate firewalls getting hackedOver 25,000 FortiCloud SSO devices exposed to remote attacksHackers exploit newly patched Fortinet auth bypass flaws

Actively Exploited
Firewall
FortiCloud
Fortigate
Fortinet
Single Sign-On
SSO

Sergiu Gatlan
Sergiu is a news reporter who has covered the latest cybersecurity and technology developments for over a decade. Email or Twitter DMs for tips.

Previous Article
Next Article

Popular Stories

Fortinet admins report patched FortiGate firewalls getting hacked

Ingram Micro says ransomware attack affected 42,000 people

New PDFSider Windows malware deployed on Fortune 100 firm's network

Sponsor Posts

Discover how to scale IT infrastructure reliably without adding toil or burnout.

Identity Governance & Threat Detection in one: Get a guided tour of our platform

Discover how phishing kits are sold and deployed. Download the full research report.

Upcoming Webinar

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Username

Password

Remember Me

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

Hackers are actively exploiting a vulnerability within Fortinet FortiGate firewalls, specifically targeting the Single Sign-On (SSO) feature and FortiCloud SSO functionality. This exploitation, detailed by cybersecurity firm Arctic Wolf, has resulted in attackers gaining unauthorized access to numerous devices. The core issue revolves around a previously patched flaw – CVE-2025-59718 – which allows unauthenticated attackers to bypass standard authentication protocols and establish admin accounts. This occurred despite Fortinet releasing patches in early December (FortiOS 7.4.9) and subsequent updates, including FortiOS 7.4.10 and 7.4.11, indicating that the vulnerability persists within deployed systems.

The attackers are leveraging crafted SAML messages to create these accounts. Arctic Wolf’s investigations revealed that the attackers initiated logins from a specific IP address (104.28.244.114) using the “mail.io” domain, mirroring previous attack patterns observed in December 2025. Log analysis further confirmed the creation of administrative users, solidifying the automated nature of the intrusion. The vulnerability is being compounded by the fact that many FortiGate devices maintain the outdated FortiOS 7.4.10 version, leaving them exposed to this ongoing attack.

The extent of the compromise is alarming, with Internet security watchdog Shadowserver currently tracking nearly 11,000 Fortinet devices online and configured with FortiCloud SSO enabled – many of which remain vulnerable due to a delayed patching process. This highlights a critical challenge in cybersecurity: rapid deployment of security updates often lags behind actual threat activity. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-59718 to its catalog of exploited vulnerabilities, mandating patching within a one-week timeframe for federal agencies.

Fortinet has acknowledged the issue and is releasing further patches, including FortiOS 7.4.11, 7.6.6, and 8.0.0, to fully address the problem. However, the situation underscores the need for proactive monitoring and immediate action by Fortinet customers. The attackers’ ability to bypass patches suggests a sophisticated understanding of Fortinet's infrastructure.

To mitigate the risk, Arctic Wolf recommends a temporary shutdown of FortiCloud SSO if enabled. This can be achieved through command-line interface commands: `config system global; set admin-forticloud-sso-login disable; end`. Alternatively, administrators can manually disable the feature within the FortiGate’s System -> Settings menu. This is a temporary solution until Fortinet releases a full fix.

The ongoing nature of this attack emphasizes the importance of rigorous vulnerability management programs, including continuous monitoring of exposed devices and rapid deployment of patches as they become available. The delayed patching of vulnerable FortiGate devices demonstrates a critical gap in security operations, making these devices prime targets for malicious actors. The continued investigation and tracking of these events by Arctic Wolf and Shadowserver are crucial in understanding the evolving threat landscape and informing effective defensive strategies.