Saturday February 21, 2026

Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations

Advisory ID: NCC-CSIRT-2026-002

Summary: 

Arctic Wolf Labs has reported an ongoing cluster of automated attacks targeting Fortinet FortiGate devices that leverage the FortiCloud Single Sign-On (SSO) feature to gain unauthorized administrative access and perform malicious configuration changes. The observed activity, which began around 15 January 2026, includes the creation of generic administrative accounts, modifications to VPN configurations that grant access to these accounts, and the exfiltration of complete firewall configurations to external systems.

The attacks exploit critical authentication bypass vulnerabilities, CVE-2025-59718 and CVE-2025-59719, through manipulated SAML messages in the FortiCloud SSO chain, allowing attackers to bypass authentication controls without valid credentials.

Damage/Probability: Critical/High

Product(s): 

  • Fortinet FortiGate Network Security Appliances
  • FortiOS, FortiWeb, FortiProxy, FortiSwitchManager with FortiCloud Single Sign-On (SSO) feature enabled

Version(s): 

  • Versions impacted include those vulnerable to CVE-2025-59718 and CVE-2025-59719, even where patches were applied, due to persistence of bypass conditions in some builds.
  • FortiOS versions 7.4.9+/7.4.10 and other train releases have been reported as still vulnerable in certain configurations

Platform(s): 

  • Internet-facing perimeter firewalls
  • Related Fortinet security platforms actively managed via FortiCloud SSO

Description: 

Exploitation of FortiCloud SSO bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) allows attackers to gain unauthorised administrative access to FortiGate devices without credentials.

Once access is obtained, automated scripts rapidly create generic admin accounts, modify VPN and firewall configurations for persistence, and exfiltrate full device configurations for offline credential analysis and further compromise.

Exfiltration activity has been linked to the following IP addresses:
104.28.244[.]115, 104.28.212[.]114, 217.119.139[.]50, 37.1.209[.]19.

The speed and consistency of the activity indicate the use of automated threat actor tooling, enabling rapid and scalable compromise.

Threat Types: 

  • Unauthenticated SSO bypass via crafted SAML messages for initial access.
  • Automated admin session takeover through malicious login activity.
  • Firewall and VPN configuration changes to maintain persistence.
  • Exfiltration of firewall configurations enabling credential compromise and lateral access.

Impacts: 

  • Exploitation enables attackers to authenticate as administrative users without credentials, granting full control over affected FortiGate devices.
  • Malicious changes to firewall rules, VPN policies, and administrative accounts undermine perimeter security and elevate attacker reach for further network intrusion.
  • Exfiltrated configuration files contain hashed credentials that may be subject to offline cracking, potentially escalating compromise across other systems or administrative sessions.
  • Newly created generic accounts and expanded VPN access provide persistent footholds and can facilitate lateral movement into enterprise networks.

Solutions:  

NCC-CSIRT recommends the following mitigation steps:

  • Disable FortiCloud SSO admin access until systems are fully patched and validated.
  • Restrict admin interfaces (web/SSH/CLI) to trusted internal networks only.
  • Apply all Fortinet PSIRT patches and confirm CVE fixes in release notes.
  • Monitor admin and SSO logs for anomalous sessions, new accounts, and configuration changes; enable alerts.
  • Correlate configuration changes with authenticated sessions to detect unauthorised activity.
  • Immediately rotate all admin credentials and revoke active sessions.
  • Treat exported configuration files as potentially compromised and sanitise before reuse.
  • Enforce least privilege, MFA, and continuous configuration monitoring for firewall administrators.

References: