Security experts have identified a series of automated cyberattacks targeting Fortinet firewall devices through weaknesses in FortiCloud Single Sign-On (SSO). These attacks allow unauthorized access to firewalls without using valid usernames or passwords. Once access is gained, attackers can change critical firewall settings. The activity is confirmed to be happening in real-world environments.
The attacks are linked to two serious security flaws known as CVE-2025-59718 and CVE-2025-59719. These vulnerabilities affect how FortiCloud SSO processes authentication requests. By sending a specially crafted SAML login request, attackers can bypass security checks. This causes the device to treat the attacker as a legitimate administrator.
Security researchers first noticed suspicious activity in mid-December 2025. During this time, attackers were seen logging in through SSO and immediately making changes to firewall configurations. A second and more aggressive wave of attacks started around mid-January 2026. Many of these intrusions appeared fully automated and completed within minutes.
After gaining access, attackers typically create new administrator accounts to maintain control. In some cases, they enable VPN access or modify firewall rules to allow future entry. Attackers also export full configuration files from the device. These files may contain sensitive information such as network details and security credentials.
Not every Fortinet device is affected by default, but many may still be exposed. FortiCloud SSO is usually disabled out of the box, but it can become enabled during device registration. Administrators may not notice this change while setting up cloud services. This has left several devices vulnerable without the owners realizing it.
Fortinet has acknowledged the issue and released security updates for affected products. The company strongly advises users to apply the latest patches as soon as possible. As a temporary protection measure, administrators are urged to disable FortiCloud SSO if it is not required. This step can help reduce immediate exposure.
Organizations are also advised to review their firewall logs carefully. Signs of compromise include unknown administrator accounts, unexpected configuration exports, or unusual login activity. If a breach is suspected, all credentials should be reset immediately. Management access should also be limited to trusted internal networks.
This incident highlights the growing risk faced by network security devices. Firewalls are critical assets, and compromising them can give attackers deep control over a network. Because these attacks do not rely on stolen passwords, they are harder to detect. Immediate action is essential to prevent long-term damage.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
