- Hackers are exploiting Fortinet FortiGate SSO flaws to steal firewall configuration data
- FortiOS 7.4.10 patch incomplete; new versions planned to fully fix vulnerability
- Stolen firewall data exposes network topology, VPNs and security rules for further attacks
Cybercriminals appear to be exploiting a hole in a recent patch for Fortinet FortiGate instances and are exploiting the vulnerability to create administrator accounts and steal firewall configuration data.
Security researchers at Arctic Wolf said they saw hackers exploit a flaw in the single sign-on (SSO) feature to create accounts and export firewall configurations, likely via an automated script.
The activity is similar to one observed in December, where threat actors exploited two flaws – CVE-2025-59718 and CVE-2025-59719.
New versions on the way
“Although the parameters of initial access details have not been fully confirmed, the current campaign is similar to a campaign described by Arctic Wolf in December 2025,” Arctic Wolf said in its report.
“It is not known at this time whether the latest threat activity observed is fully covered by the patch that originally addressed CVE-2025-59718 and CVE-2025-59719.”
Fortinet has apparently confirmed the reports, saying that FortiOS version 7.4.10 does not fully address the above vulnerability.
Several releases are already in the pipeline, namely 7.4.11, 7.6.6 and 8.0.0, which should fully resolve this issue. These versions are scheduled to be released in a few days. According to Shadowserver data, there are more than 10,000 vulnerable endpoints out there.
The attacks are quite dangerous. Firewall configuration data reveals the full network topology, security rules, VPN settings, and authentication mechanisms, enabling bad guys to identify exposed services, bypass checks, move laterally, and maintain or regain access via VPNs or trusted connections.
The data can also be used to attack connected partner networks or sold to other threat actors.
If your organization is at risk, until Fortinet fixes things, consider temporarily disabling the FortiCloud login feature. You can also run these commands:
config system global
set admin-forticloud-sso-login to disable
end
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
