CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Vulnerabilities

New Wave of Attacks Targeting FortiGate Firewalls

Hackers bypass the FortiCloud SSO login authentication to create new accounts and change device configurations. The post New Wave of Attacks Targeting FortiGate Firewalls appeared first on SecurityWeek.

Firewall exploited

Threat actors are making configuration changes to FortiGate firewalls in a new wave of attacks reminiscent of a December 2025 campaign, security researchers warn.

Over the past week, Arctic Wolf observed automated attacks targeting FortiGate devices to create new user accounts, modify configurations for VPN access, and exfiltrate firewall data.

The activity, the cybersecurity firm notes, is similar to a month-old campaign targeting CVE-2025-59718 and CVE-2025-59719 (CVSS score of 9.8), two critical-severity authentication bypass vulnerabilities in Fortinet products.

The bugs, the vendor said in early December, allow attackers to bypass the FortiCloud SSO login authentication via crafted SAML response messages.

While the FortiCloud login feature is disabled by default, it is enabled when registering a new device to FortiCare from the device’s UI, unless the administrator specifically disables it.

Roughly a week later, Arctic Wolf warned that threat actors started exploiting the security defects against FortiGate firewalls three days after Fortinet announced patches for the two issues.

Now, the cybersecurity company says it has observed a new wave of malicious SSO logins on FortiGate appliances resulting in malicious configuration changes.

The attacks originated from a small number of hosting providers and typically targeted the cloud-init@mail.io account. Within seconds after login, the attackers exported device configurations, likely through automation.

According to Arctic Wolf, it is unclear whether the activity “is fully covered by the patch that initially addressed CVE-2025-59718 and CVE-2025-59719”.

Users on Reddit suggest that the December patches for the two Fortinet vulnerabilities were not complete, and that the vendor is working on fresh fixes for the bugs.

To prevent the exploitation of the two vulnerabilities, users are advised to disable the FortiCloud login feature by going to the settings menu and switching ‘Allow administrative login using FortiCloud SSO’ off.

Related: Fortinet Patches Critical Vulnerabilities in FortiFone, FortiSIEM

Related: Fortinet Warns of New Attacks Exploiting Old Vulnerability

Related: Fortinet Discloses Second Exploited FortiWeb Zero-Day in a Week

Related: Fortinet Confirms Active Exploitation of Critical FortiWeb Vulnerability

Latest News

CYBERNEWSMEDIAPublisher