Your FortiGate firewalls might be silently handing over the keys to your kingdom! It's a chilling scenario: attackers are sneaking past your defenses, not by brute force, but by a subtle manipulation of your Single Sign-On (SSO) systems, allowing them to pilfer sensitive configuration data and even create their own backdoor access.
This alarming trend was brought to light by the cybersecurity experts at Arctic Wolf. They've observed a coordinated surge in malicious activity, kicking off around January 15th. These digital intruders are targeting Fortinet's FortiGate appliances by exploiting compromised SSO accounts. What's particularly concerning is how swiftly and stealthily they operate, reconfiguring firewall settings, establishing hidden administrator accounts, and, most critically, exfiltrating entire configuration files.
But here's where it gets controversial... Arctic Wolf isn't pointing to a brand-new vulnerability. Instead, their analysis suggests this activity aligns with the exploitation of two critical authentication bypass bugs, identified as CVE-2025-59718 and CVE-2025-59719. While patches for these were released back in December, a growing number of administrators are reporting that their firewalls, even after being updated, are still falling victim. This raises a crucial question: Are the existing patches truly effective, or are attackers finding clever ways to circumvent them?
And this is the part most people miss... The stolen configuration files are a goldmine for attackers. They often contain deeply sensitive information, including credentials and detailed insights into your internal network architecture. Imagine an intruder not just getting into your house, but also finding a detailed blueprint of every room, every lock, and every valuable item inside – that's essentially what these exfiltrated configs provide.
Arctic Wolf noted that the speed of these intrusions is staggering, with multiple malicious actions occurring within seconds, strongly suggesting automated attack tools are at play. This isn't a slow, methodical hack; it's a rapid, almost instantaneous takeover.
Adding to the unease, discussions on platforms like Reddit reveal that affected administrators have been informed by Fortinet that FortiOS 7.4.10 may not fully resolve the SSO authentication bypass issue, despite the earlier patch for FortiOS 7.4.9. Reports of intrusions on seemingly up-to-date systems are becoming more frequent.
Fortinet is reportedly working on further releases – FortiOS 7.4.11, 7.6.6, and 8.0.0 – in the coming days to definitively address CVE-2025-59718. Meanwhile, logs from affected customers have shown attackers logging in via SSO using the identifier cloud-init@mail.io from the IP address 104.28.244.114, a pattern that matches Arctic Wolf's observations.
So, what should you do? Arctic Wolf strongly advises organizations to immediately audit their FortiGate administrator accounts, meticulously review recent configuration changes, rotate all credentials, and maintain vigilant monitoring of SSO activity. This is crucial until Fortinet's upcoming fixes are deployed and verified.
Now, let's talk about it. Do you believe the current patches are insufficient, or are we seeing a new wave of sophisticated exploitation techniques? Share your thoughts in the comments below – let's get a discussion going!
