FORTINET firewalls have been hit by malicious configuration changes after attackers gained access through single sign-on (SSO) logins, with Arctic Wolf Labs reporting activity beginning on Jan 15 that included creating generic accounts, granting VPN access, and exfiltrating firewall configurations.
The researchers note that the activity, which appears automated, mirrors a prior campaign documented after the disclosure of two critical Fortinet vulnerabilities, CVE-2025-59718 and CVE-2025-59719, and that CVE-2025-59718 enables bypass of FortiCloud SSO login authentication.
Fortinet released patches for both flaws, and CVE-2025-59718 was observed exploited in the wild, with the US Cybersecurity and Infrastructure Security Agency adding it to the Known Exploited Vulnerabilities (KEV) catalog shortly after Arctic Wolf’s initial December report.
The investigation also references unconfirmed reports of compromised, patched FortiGate devices, suggesting patches may not fully mitigate the vulnerability, and researchers urge Fortinet customers to restrict access to firewall and VPN management interfaces to trusted internal networks. The team emphasises a cautious stance, noting that it is unclear whether the latest activity is fully covered by the patch and that some patched devices have still shown signs of compromise.