FortiGate firewalls hit by silent SSO attacks & config theft

FortiGate firewalls hit by silent SSO attacks & config theft

Briefly

"FortiGate firewalls are getting quietly reconfigured and stripped down by miscreants who've figured out how to sidestep SSO protections and grab sensitive settings right out of the box. That's according to a warning from security shop Arctic Wolf, which says it has spotted a wave of automated malicious activity starting January 15 that's targeting Fortinet's FortiGate appliances via compromised SSO accounts, flipping firewall settings, creating backdoor admin users, and exfiltrating configuration files."

"Arctic Wolf says that the attackers aren't just poking around: intruders create new admin accounts, adjust VPN and firewall rules, and export the full configuration. Those configs often include sensitive credentials and internal network details, effectively handing attackers a map of what to hit next. "All of the above events took place within seconds of each other, indicating the possibility of automated activity," Arctic Wolf said."

"What Arctic Wolf hasn't confirmed is a new vulnerability. Instead, the behavior lines up uncomfortably well with exploitation. This activity stemmed from two critical authentication bypass bugs ( CVE-2025-59718 and CVE-2025-59719) that let attackers bypass SSO login checks via specially crafted SAML responses. Patches for those were shipped last December, but Arctic Wolf's advisory follows a growing wave of reports from administrators who believe attackers are exploiting a patch bypass for CVE-2025-59718 to compromise firewalls that were already thought to be fixed."