Fortinet FortiGate devices hit in automated attacks which create rogue accounts and steal firewall data

News
By published

A recent Fortinet patch may not work as well as hoped

Best free Linux firewalls
Image credit: Pixabay (Image credit: Pixabay)
  • Hackers exploit Fortinet FortiGate SSO bug to steal firewall configuration data
  • FortiOS 7.4.10 patch incomplete; new versions planned to fully fix vulnerability
  • Stolen firewall data exposes network topology, VPNs, and security rules for further attacks

Cybercriminals seem to be taking advantage of a hole in a recent patch for Fortinet FortiGate instances, and are exploiting the vulnerability to create administrator accounts and steal firewall configuration data.

Security researchers at Arctic Wolf said they saw hackers abusing a bug in the single sign-on (SSO) feature to create accounts and export firewall configurations, most likely via an automated script.

The activity is akin to one observed in December, when threat actors abused two flaws - CVE-2025-59718, and CVE-2025-59719.

New versions in the pipeline

"While the parameters of initial access details have not been fully confirmed, the current campaign bears similarity to a campaign described by Arctic Wolf in December 2025," Arctic Wolf said in its report.

"It is not known at this time whether the latest threat activity observed is fully covered by the patch that initially addressed CVE-2025-59718 and CVE-2025-59719."

Fortinet has apparently confirmed the reports, saying that FortiOS version 7.4.10 does not fully fix the abovementioned vulnerability.

Multiple releases are already in the pipeline, namely 7.4.11, 7.6.6, and 8.0.0, which should fully resolve this issue. These versions are planned to be released in a few days. As per Shadowserver data, there are more than 10,000 vulnerable endpoints out there.

The attacks are quite dangerous. Firewall configuration data reveals the full network topology, security rules, VPN settings, and authentication mechanisms, allowing crooks to identify exposed services, bypass controls, move laterally, and maintain or regain access through VPNs or trusted connections.

The data can also be used to attack connected partner networks or sold to other threat actors.

If your organization is at risk, until Fortinet patches things up, consider temporarily turning off the FortiCloud login feature. You could also run these commands:

config system global

set admin-forticloud-sso-login disable

end

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.