- Attackers are exploiting a FortiGate SSO weakness to create rogue admin accounts.
- They are stealing firewall configuration data, likely using automation.
- FortiOS 7.4.10 may not fully fix the issue, more updates are expected soon.
- Stolen configs reveal network layout, VPNs, and rules, enabling deeper attacks.
Fortinet FortiGate devices are once again in the spotlight after researchers observed a fresh wave of automated attacks abusing a weakness tied to the platform’s single sign on functionality.
The goal appears straightforward and highly dangerous: silently create rogue administrator accounts, then export firewall configuration data that can hand attackers a detailed blueprint of an organization’s network.
Security analysts at Arctic Wolf reported seeing threat actors use what looks like a scripted process to move quickly across exposed systems. While the exact entry point has not been fully confirmed, the behavior strongly mirrors activity previously documented late last year, when attackers exploited two related flaws tracked as CVE 2025 59718 and CVE 2025 59719.
This time, the concern is not only the scale of the activity, but the possibility that a recent patch may not be doing the full job defenders hoped it would.
A patch that may not fully close the door
According to Arctic Wolf, the current campaign resembles the earlier wave closely enough to raise questions about whether attackers are leveraging the same underlying weakness or a closely related bypass. At the moment, researchers say it remains unclear whether the fix originally issued for the earlier vulnerabilities fully covers what is happening now.
Fortinet has reportedly acknowledged the issue, confirming that FortiOS version 7.4.10 does not completely resolve the vulnerability chain being abused. That matters because many organizations will have treated the update as the finish line, when in reality it may have only reduced the risk rather than eliminating it.
New releases are expected shortly, including FortiOS 7.4.11, 7.6.6, and 8.0.0, which are intended to fully address the problem. Meanwhile, scanning data indicates a large number of potentially exposed endpoints remain reachable online, creating an attractive target pool for attackers running automated tooling.
Why stolen firewall configuration data is so valuable
Firewall configuration exports are not just technical clutter. In the wrong hands, they are a map of how your environment works and where it is weakest.
Once attackers get that data, they can learn network topology details that reveal internal segments, trusted routes, and where sensitive systems likely live. They can identify VPN configurations, authentication methods, and remote access policies that could help them pivot deeper into the organization. They can also review security rules to find allowed services, open ports, and exceptions that can be abused for stealthy movement.
In other words, even if an attacker does not immediately deploy malware or ransomware, the information alone can be enough to plan a more damaging follow up intrusion. It can also be packaged and sold, giving other criminals a head start against the same victim. In environments connected to partners, suppliers, or managed service providers, the blast radius can expand quickly.
That is what makes these attacks especially alarming. The initial compromise might be quiet, but the intelligence gathered can enable long term access, repeat breaches, and targeted disruption later.
What organizations should do right now
With an incomplete fix in circulation and updated releases still rolling out, the immediate priority is risk reduction. If your organization relies on FortiGate appliances, treat this as an active threat scenario rather than a theoretical vulnerability.
Review administrative account lists and look for unexpected new users or privilege changes. Audit configuration export activity, especially if it occurred outside normal maintenance windows.
Check logs for suspicious authentication events tied to SSO or cloud-linked login workflows. If you find signs of compromise, rotate credentials, revoke tokens, and assume firewall rules and VPN details may already be known to an adversary.
Some guidance suggests temporarily disabling FortiCloud login functionality as a defensive move until the full patch set is available and deployed. That may not be practical for every environment, but it can reduce exposure in the short term if your operational model allows it.
Most importantly, once Fortinet’s fully remediating versions are released, prioritize updating quickly. This is the kind of vulnerability class attackers love because it can be exploited at scale with minimal effort, and the payoff is high value data.
Follow TechBSB For More Updates
