- Hackers exploit Fortinet FortiGate SSO bug to steal firewall configuration data
- FortiOS 7.4.10 patch is incomplete; new versions planned to completely fix the vulnerability
- Stolen firewall data exposes network topology, VPNs and security rules for new attacks
Cybercriminals appear to be taking advantage of a flaw in a recent patch for Fortinet FortiGate instances and are exploiting the vulnerability to create administrator accounts and steal firewall configuration data.
Security researchers at Arctic Wolf said they have seen hackers exploit a bug in the single sign-on (SSO) feature to create accounts and export firewall configurations, likely via an automated script.
This activity is similar to that observed in December, when malicious actors abused two vulnerabilities: CVE-2025-59718 and CVE-2025-59719.
New versions in preparation
“While the parameters of the initial access details have not been fully confirmed, the current campaign bears similarities to a campaign described by Arctic Wolf in December 2025,” Arctic Wolf said in its report.
“It is currently unclear whether the latest observed threat activity is fully covered by the patch that initially addressed CVE-2025-59718 and CVE-2025-59719.”
Fortinet has apparently confirmed this information, saying that FortiOS version 7.4.10 does not completely fix the vulnerability mentioned above.
Several versions are already in preparation, namely 7.4.11, 7.6.6 and 8.0.0, which should completely resolve this issue. These versions should be released in a few days. According to Shadowserver data, there are more than 10,000 vulnerable endpoints.
The attacks are quite dangerous. Firewall configuration data reveals the complete network topology, security rules, VPN settings, and authentication mechanisms, allowing cybercriminals to identify exposed services, bypass controls, move laterally, and maintain or regain access through VPNs or trusted connections.
The data may also be used to attack connected partner networks or sold to other malicious actors.
If your organization is at risk, while you wait for Fortinet to fix the problem, consider temporarily disabling the FortiCloud login feature. You can also run these commands:
global configuration system
set login disable admin-forticloud-sso-login
END
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
