- Hackers Leverage Fortinet FortiGate SSO Bug to Steal Firewall Configuration Data
- FortiOS 7.4.10 patch incomplete; new releases planned to fully fix the vulnerability
- Stolen firewall data exposes network topology, VPNs, and security rules to future attacks
Cybercriminals appear to be exploiting a hole in a recent patch for Fortinet FortiGate instances and are exploiting the vulnerability to create administrator accounts and steal firewall configuration data.
Security researchers at Arctic Wolf said they saw hackers abusing a bug in the single sign-on (SSO) feature to create accounts and export firewall settings, most likely through an automated script.
The activity is similar to what was observed in December, when threat actors abused two flaws: CVE-2025-59718 and CVE-2025-59719.
New versions in process
“While the parameters of the initial access details have not been fully confirmed, the current campaign bears similarity to a campaign described by Arctic Wolf in December 2025,” Arctic Wolf said in its report.
“It is not known at this time if the latest observed threat activity is fully covered by the patch that initially addressed CVE-2025-59718 and CVE-2025-59719.”
Fortinet has apparently confirmed the reports, saying that FortiOS version 7.4.10 does not completely fix the aforementioned vulnerability.
There are already several versions in the works, namely 7.4.11, 7.6.6 and 8.0.0, which should completely resolve this issue. These versions are scheduled to be released in a few days. According to Shadowserver data, there are more than 10,000 vulnerable endpoints.
The attacks are quite dangerous. Firewall configuration data reveals the complete network topology, security rules, VPN configuration, and authentication mechanisms, allowing criminals to identify exposed services, bypass controls, move laterally, and maintain or regain access over VPNs or trusted connections.
The data can also be used to attack networks of connected partners or sold to other threat actors.
If your organization is at risk, until Fortinet fixes things, consider temporarily disabling the FortiCloud login feature. You can also run these commands:
global configuration system
configure admin-forticloud-sso-login disable
end
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
