FortiGate Patch Fails: Attackers Still Exploiting SSO Bypass

Fortinet FortiGate devices are under active attack despite patches released in December, with Arctic Wolf reporting automated campaigns that create rogue admin accounts and exfiltrate firewall configurations within seconds of compromise. Affected admins say Fortinet has privately acknowledged that FortiOS 7.4.10 doesn't fully remediate the SSO authentication bypass.

This is a developing situation. Fortinet is preparing emergency releases—FortiOS 7.4.11, 7.6.6, and 8.0.0—to address the bypass, but until those ship, organizations using FortiCloud SSO should disable the feature immediately.

What's Happening

Arctic Wolf observed a wave of automated attacks starting January 15 that target FortiGate appliances via compromised SSO accounts. The attacks follow a consistent, script-driven pattern:

1. Attackers perform malicious SSO logins using the "admin" account
2. Within seconds, they export the full firewall configuration via the GUI
3. They create a second admin account for persistence (common names: "secadmin", "itadmin", "support", "backup", "remoteadmin", "audit")
4. They modify VPN and firewall rules to enable future access

The speed suggests automation rather than hands-on-keyboard activity. Configuration files often contain credentials and internal network details—exactly what attackers need to plan their next move.

The Patch Bypass Problem

We covered the initial CVE-2025-59718 and CVE-2025-59719 disclosures in December when exploitation began just three days after patch release. At the time, FortiOS 7.4.9 was supposed to fix the SSO authentication bypass.

The situation has worsened. Affected admins on Reddit report that even FortiOS 7.4.10 doesn't fully address the flaw. Fortinet has privately acknowledged the issue and is preparing additional patches.

In a new advisory, Fortinet said it identified a fresh attack path being used to abuse SAML-based SSO even on systems with the earlier fix applied. The authentication bypass allows unauthenticated attackers to forge SAML responses and gain administrative access without credentials.

Indicators of Compromise

Arctic Wolf shared specific indicators from observed attacks:

• Source IP: 104.28.244.114
• Login Account: [email protected] (used for malicious SSO login)
• New Admin Accounts: Look for unexpected accounts named secadmin, itadmin, support, backup, remoteadmin, or audit
• Configuration Downloads: Check logs for unexpected configuration exports

Review admin account lists and recent configuration changes. If you see accounts you didn't create or changes you didn't make, assume compromise.

Immediate Mitigation

Until Fortinet's new patches arrive, disable FortiCloud SSO:

Via GUI:

1. Navigate to System → Settings
2. Find "Allow administrative login using FortiCloud SSO"
3. Switch to Off

Via CLI:

config system global
set admin-forticloud-sso-login disable
end

This removes the vulnerable authentication pathway. Admins will need to use local credentials or other authentication methods until a complete patch is available.

Who's Affected

Any organization using FortiGate devices with FortiCloud SSO enabled should treat this as urgent. The vulnerability affects:

• BIG-IP iSeries and rSeries hardware
• FortiOS (F5OS) and FortiOS (TMOS)
• Virtual Edition (VE) deployments
• BIG-IP Next and BIG-IQ

The CISA Emergency Directive ED 26-01 from October already mandated federal agencies to address F5 vulnerabilities following nation-state targeting of this infrastructure. While that directive focused on F5 source code exposure, the pattern of attackers targeting network infrastructure continues.

Why This Matters

Network perimeter devices like FortiGate firewalls sit at the boundary between organizations and the internet. When attackers compromise these devices, they gain:

• Network visibility through configuration files showing internal architecture
• Credential access since configs often contain service account passwords and API keys
• Persistent access through newly created admin accounts
• VPN capabilities after modifying remote access rules

The automated nature of these attacks suggests organized activity. Script-driven exploitation that completes within seconds points to either sophisticated criminal operations or state-sponsored groups staging for larger campaigns.

For readers tracking broader vulnerability trends, this incident reinforces a frustrating pattern: patches that don't fully work, forcing defenders into an extended response while attackers exploit the gap. Organizations should review their ransomware defense posture since credential theft and network access are common precursors to ransomware deployment.

What to Do Now

1. Disable FortiCloud SSO immediately using the steps above
2. Audit admin accounts for any unexpected additions
3. Review configuration change logs for unauthorized exports or modifications
4. Rotate credentials for any service accounts referenced in firewall configurations
5. Monitor for Fortinet's upcoming patches (7.4.11, 7.6.6, 8.0.0) and apply immediately when available
6. Check network logs for connections from 104.28.244.114

The situation remains fluid. We'll update this article as Fortinet releases patches or provides additional guidance.