Imagine your fortress walls being silently dismantled, brick by brick, while the guards are none the wiser. That's precisely what's happening to FortiGate firewalls, as cybercriminals exploit a cunning method to bypass Single Sign-On (SSO) protections and pilfer sensitive configurations right under the noses of administrators. But here's where it gets controversial: despite patches being released, reports suggest attackers are still finding ways to slip through the cracks, leaving many to wonder if the fixes were ever truly effective.
According to a recent alert from cybersecurity firm Arctic Wolf (https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-configuration-changes-fortinet-fortigate-devices-via-sso-accounts/), a wave of automated attacks has been targeting Fortinet's FortiGate devices since January 15. These attacks leverage compromised SSO accounts to reconfigure firewalls, create backdoor admin accounts, and exfiltrate critical configuration files. What's alarming is the speed and precision of these attacks—all these actions occur within seconds, strongly suggesting an automated, orchestrated campaign.
And this is the part most people miss: the stolen configurations often contain sensitive credentials and internal network details, essentially handing attackers a roadmap to launch further attacks. Arctic Wolf emphasizes that these aren't just random probes; intruders are systematically altering VPN and firewall rules, exporting full configurations, and setting the stage for deeper breaches.
While Arctic Wolf hasn’t identified a new vulnerability, the attacks align uncomfortably well with the exploitation of two critical authentication bypass bugs: CVE-2025-59718 and CVE-2025-59719 (https://www.theregister.com/2025/12/09/december2025patch_tuesday/). These vulnerabilities allow attackers to bypass SSO login checks using specially crafted SAML responses. Although patches were released in December, a growing number of administrators report intrusions on systems they believed were secure, sparking speculation about a potential patch bypass for CVE-2025-59718.
On Reddit (https://www.reddit.com/r/fortinet/comments/1qibdcb/possiblenewssoexploitcve202559718on749/), affected admins claim Fortinet has privately acknowledged that FortiOS 7.4.10 does not fully address the SSO authentication bypass issue, despite the problem being marked as resolved with the release of FortiOS 7.4.9 in early December. This discrepancy raises questions about the effectiveness of Fortinet's patching process and whether organizations can truly trust their firewalls are secure.
Here’s a thought-provoking question: Are modern firewalls and VPNs becoming so complex that they’re inadvertently creating more vulnerabilities than they solve? Recent incidents, such as the surge in malicious activity targeting Palo Alto networks (https://www.theregister.com/2025/11/20/paloaltotrafficflood/) and the active exploitation of SonicWall's SMA 1000 zero-day (https://www.theregister.com/2025/12/18/sonicwallsma10000day/), suggest that complexity might be working against us.
Fortinet is reportedly preparing additional releases—FortiOS 7.4.11, 7.6.6, and 8.0.0—to fully address CVE-2025-59718. In the meantime, logs shared by affected customers reveal attackers logging in via SSO from the address cloud-init@mail.io, originating from IP address 104.28.244.114, before creating new admin users. These indicators align with Arctic Wolf's observations and similar exploitation attempts in December.
Arctic Wolf advises organizations to take immediate action: audit FortiGate admin accounts, review recent configuration changes, rotate credentials, and closely monitor SSO activity until the new fixes are deployed. But here’s the bigger question: In an era where cyber threats evolve faster than defenses, can we ever truly stay ahead of the curve? Share your thoughts in the comments—do you think the complexity of modern security tools is making us more vulnerable, or is it a necessary evil in the fight against cybercrime?
