The false sense of security provided by a software patch has been shattered for many Fortinet customers, as a new wave of cyberattacks is successfully compromising FortiGate firewalls by exploiting a critical single sign-on vulnerability that was supposedly fixed. Security researchers at Arctic Wolf Labs have identified an extensive and ongoing malicious campaign that began around January 15, revealing that an unidentified threat actor is actively bypassing security measures to gain administrative access to corporate networks. This alarming development, first brought to light on January 22, has since been confirmed by Fortinet itself, raising serious questions about the effectiveness of its initial mitigation efforts and leaving a significant number of organizations exposed to persistent threats. The incident underscores a harsh reality in cybersecurity: the battle is never truly over, and a determined adversary can often find new ways to exploit a known weakness.
The Ineffective Patch and Renewed Exploitation
The core of this security incident traces back to a previously disclosed and highly critical vulnerability, CVE-2025-59718, which was known to be exploited in the wild. This authentication bypass flaw was so severe that it was quickly added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog, a list of security flaws that require immediate attention from federal agencies. Following the initial disclosure and a documented attack campaign in December, Fortinet released firmware updates intended to remediate the issue. Customers who diligently applied these patches believed their systems were secure. However, this sense of protection proved to be premature, as the threat actor either discovered a flaw in the patch itself or identified an entirely new method to achieve the same result, leading to a resurgence of successful compromises against devices that were thought to be protected.
The first warnings of the patch’s failure came not from official channels, but from the front lines of network administration. Users on community forums, including the r/Fortinet subreddit, began reporting that their fully patched FortiGate devices were showing signs of unauthorized access, with activity mirroring the previously documented attacks. These anecdotal reports were soon validated by security researchers and, ultimately, by Fortinet. In an official statement, Chief Information Security Officer (CISO) Carl Windsor confirmed the community’s fears, acknowledging that the initial firmware updates were incomplete. He stated that a “new attack path” had been identified that affected devices upgraded to the supposedly fixed versions. This confirmation transformed user suspicion into a confirmed, active threat, highlighting a critical breakdown in the patching process and forcing the company to go back to the drawing board for a comprehensive solution.
Anatomy of a High-Speed Breach
Once an attacker successfully breaches a FortiGate device using the flawed SSO mechanism, they execute a series of malicious actions with remarkable speed and efficiency. The entire post-exploitation sequence—which includes creating new generic user accounts, granting these accounts full VPN access, and exfiltrating the device’s complete configuration files—occurs within seconds of the initial unauthorized login. This high-speed execution strongly suggests the use of sophisticated, automated scripts or tools. Such automation allows the threat actor to compromise a large number of devices across various geographical regions in a very short period, maximizing their impact before defenders have a chance to react. The stolen configuration data is then funneled to a small, specific set of IP addresses controlled by the attacker, providing them with the intelligence needed for the next phase of their operation. The exfiltration of the firewall configuration is arguably the most critical and damaging step in the attack chain, as this data provides the adversary with a complete blueprint of the victim’s network security posture. This file contains a wealth of sensitive information, including all firewall rules, the network topology, and, most importantly, hashed user credentials for all administrative accounts. Arctic Wolf Labs warns that it is a common practice for threat actors to take these hashed credentials offline and use powerful computing resources to crack them. Passwords that are weak or based on dictionary words are particularly susceptible to this type of attack. A single cracked password can lead to the compromise of additional accounts and systems within the organization, enabling the attacker to move laterally across the network and escalate their privileges, turning a perimeter breach into a deep and pervasive intrusion.
Official Response and Broader Implications
Fortinet’s official response, delivered by CISO Carl Windsor in a blog post, definitively confirmed the community’s and researchers’ fears. He acknowledged that a “small number of customers” had reported login activity similar to the previously known issue but made the critical admission that fully patched devices were being successfully exploited. This discovery pointed to a “new attack path” that the original patch had failed to address. Windsor assured customers that Fortinet’s product security team had identified the underlying cause and was actively developing a new, more comprehensive fix. Significantly, he clarified that while the observed attacks specifically targeted FortiCloud SSO logins, the vulnerability’s scope is much broader, affecting “all SAML SSO implementations” on FortiGate devices. This clarification dramatically expanded the pool of potentially vulnerable customers beyond those who exclusively use FortiCloud, putting any organization using SAML-based single sign-on at risk.
In light of the active exploitation and the inadequacy of the existing patch, Arctic Wolf Labs provided clear and urgent guidance for Fortinet customers to protect their systems from this ongoing threat. The primary recommendation was to immediately implement network-level access controls, restricting management access to both the firewall and VPN interfaces to trusted, internal IP addresses only. This critical step can prevent the attacker from ever reaching the vulnerable login interface from the public internet. For any device where a malicious login has been detected, administrators were urged to assume that all hashed credentials stored on the firewall had been compromised. Consequently, an immediate and mandatory password reset for all firewall administrator accounts was deemed essential. Furthermore, given that the attack vector is the SSO login itself, researchers endorsed Fortinet’s original workaround for the vulnerability: temporarily disabling the FortiCloud SSO login feature entirely until a new, effective patch is developed and deployed. This action directly closed the identified attack path, albeit at the cost of operational convenience, and stood as the most reliable defense in the interim. This incident was part of a wider pattern of recent security challenges for Fortinet, as it followed the exploitation of another critical vulnerability in the FortiSIEM platform just the previous week, underscoring the persistent and evolving threat landscape that network security appliance users faced.