Quick Takeaways
-
A threat actor has gained unauthorized access to Fortinet firewalls via SSO logins, prompting concerns that the patch for a previous authentication vulnerability (CVE-2025-59718) may not be fully effective.
-
This attack, observed starting January 15, involved creating generic accounts with VPN access and rapidly exfiltrating firewall configurations, indicating a potentially automated process.
-
Users have reported compromises of patched devices, raising suspicions that the mitigation measures for the known vulnerabilities may be inadequate or incomplete.
-
Arctic Wolf Labs recommends temporarily disabling FortiCloud SSO login features to bolster security and urges impacted administrators to reset compromised credentials immediately.
Fortinet Firewalls Face Security Breach
Over the past week, threat actors compromised Fortinet firewalls via single sign-on (SSO) logins. This raises concerns about the effectiveness of previously released patches for identified vulnerabilities. Researchers at Arctic Wolf Labs noted that the malicious activity began on January 15, targeting FortiGate devices. After gaining access, the attackers created generic accounts, granted VPN access, and exfiltrated firewall configurations. This incident mirrors a recent campaign documented by Arctic Wolf that followed the announcement of critical vulnerabilities.
Despite reportedly patched vulnerabilities, some users have reported malicious logins on updated FortiGate devices. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) listed the primary flaw, CVE-2025-59718, in its Known Exploited Vulnerabilities catalog. However, it remains unclear whether the latest attacks are fully covered by the initial patches. Observers express concern, particularly since users reported breaches even after updates, suggesting that the patches might not have provided complete protection.
Possible Automated Attacks on Fortinet Firewalls
Subsequent activities from the attackers appeared rapid and organized. Arctic Wolf Labs suggested these actions had the hallmark of automated processes, as multiple follow-up activities occurred almost instantaneously. The researchers reported that compromised configuration data was sent to specific IP addresses across various regions. While the timeline of events indicates potential automation, there is no confirmation that artificial intelligence played a role in the onslaught.
To mitigate risks, Arctic Wolf recommends restricting access to firewall and VPN management interfaces to trusted networks. If malicious logins are detected, administrators should quickly reset firewall credentials, as attackers can crack hashes, particularly those that are weak. As a precautionary measure, the team urged customers to consider temporarily disabling the FortiCloud SSO login feature on their devices. The recent incidents mark another chapter in ongoing concerns for Fortinet customers as vulnerabilities continue to emerge throughout the year.
Expand Your Tech Knowledge
Dive deeper into the world of Cryptocurrency and its impact on global finance.
Access comprehensive resources on technology by visiting Wikipedia.
CyberRisk-V1
