From mid-January, Fortinet FortiGate firewalls have come under a new wave of highly automated attacks. According to researchers at Arctic Wolf, threat actors are exploiting a vulnerability in the FortiCloud Single Sign-On (SSO) mechanism to obtain administrative access within seconds, create rogue admin and VPN accounts, and exfiltrate full firewall configurations.
How the FortiCloud SSO vulnerability in FortiGate is being exploited
Arctic Wolf reports that the latest campaign became active on 15 January 2026. The attackers target the implementation of Single Sign-On (SSO), a mechanism that allows users to authenticate once and gain access to multiple services using the same identity.
The core of the attack is the exploitation of CVE-2025-59718, a vulnerability in the handling of specially crafted SAML (Security Assertion Markup Language) messages. SAML is a standard protocol used to transmit authentication data between an identity provider and a service. A flaw in how FortiGate processes these SAML assertions enables an unauthenticated remote attacker to bypass authentication when FortiCloud SSO is enabled on the device.
Once the vulnerability is successfully exploited, the attackers reportedly:
– immediately create new administrative accounts with VPN access;
– modify VPN and firewall policies to strengthen persistence and facilitate lateral movement;
– download complete FortiGate configuration files.
These configuration files often contain credentials, internal IP addressing, VPN tunnel definitions, and access-control policies. In practice, this gives adversaries a detailed map of the victim’s internal network, significantly lowering the effort required for subsequent intrusions and targeted attacks.
Why FortiOS security updates have not stopped the FortiGate attacks
The first wave of similar incidents was observed in December 2025, shortly after technical details of CVE-2025-59718 and CVE-2025-59719 became public. In response, Fortinet released security fixes as part of FortiOS 7.4.9 and stated that the issue had been resolved.
The current campaign, however, demonstrates that exploitation is still ongoing. Administrators of compromised FortiGate devices report that breaches affected firewalls already upgraded to the then-latest firmware, FortiOS 7.4.10. Discussions on professional forums, including Reddit, indicate that some affected users were told informally that the vulnerability might not be fully remediated in 7.4.10, despite Fortinet’s official position that CVE-2025-59718 is fixed starting with 7.4.9.
In light of continued exploitation, Fortinet is reportedly preparing an emergency release of FortiOS 7.4.11, 7.6.6 and 8.0.0, which are expected to definitively close the remaining attack paths for CVE-2025-59718. Until these versions become generally available and are widely deployed, the exposure of organizations using FortiCloud SSO on FortiGate remains elevated.
Indicators of compromise and scale of exposed FortiGate devices
Logs from compromised FortiGate firewalls show a recurring attack pattern. In most documented cases:
– SSO logins are recorded under the email address cloud-init@mail[.]io;
– the source IP address 104.28.244[.]114 is observed;
– a new administrative account is created immediately after the SSO login event.
These indicators of compromise (IoCs) match observations from Arctic Wolf in both the current and December 2025 campaigns, suggesting that a single actor or closely cooperating groups are likely behind the activity.
Data from the Shadowserver project indicates that almost 11,000 FortiGate devices with FortiCloud SSO enabled are currently exposed to the internet. Because the exploited vulnerability does not require prior authentication and the attacks are fully automated, all of these systems should be considered potential targets.
Immediate FortiGate hardening steps to reduce risk
Short-term incident response actions for Fortinet FortiGate
Until final patches are available and deployed, security teams should implement the following measures:
– Temporarily disable FortiCloud SSO on all FortiGate devices where it is enabled;
– Review FortiGate event logs for SSO logins using cloud-init@mail[.]io and connections from 104.28.244[.]114 or other suspicious IPs;
– Perform a full audit of all administrative accounts on FortiGate and remove any unknown or unauthorized users;
– If any sign of compromise is detected, reset all passwords, rotate VPN keys and certificates, and carefully review firewall and VPN configurations for unauthorized changes.
Long-term vulnerability management and SSO security strategy
The CVE-2025-59718 situation underscores the importance of mature vulnerability management and identity security processes. Risk remains high even when patches exist if:
– security updates are deployed with significant delays;
– continuous monitoring of logs and network activity is absent;
– there is no accurate inventory of internet-facing services such as FortiCloud SSO.
To improve resilience, organizations should adopt centralized monitoring for perimeter devices, enforce multi-factor authentication (MFA) wherever technically feasible, and regularly conduct penetration tests and configuration audits of network security appliances. Maintaining a current asset inventory and prioritizing remediation for exposed services are critical to reducing the attack surface.
The ongoing FortiGate attacks show that even mature security products from leading vendors remain attractive and vulnerable targets, and that adversaries rapidly automate the exploitation of newly disclosed flaws. Organizations relying on Fortinet FortiGate and FortiCloud SSO should promptly disable vulnerable functionality, thoroughly assess devices for compromise, and be prepared to deploy new FortiOS releases as soon as they are available. Consistent monitoring, disciplined patch management, and a proactive approach to identity and configuration security are now essential prerequisites for maintaining a robust network security posture.
