FORTINET is investigating a new wave of attacks on FortiGate devices that have already been patched against known vulnerabilities, with threat actors apparently exploiting a “new attack path” that defeats current defences. The exploits target CVE-2025-59718 and CVE-2025-59719 by abusing the FortiCloud SSO feature to bypass authentication, and patches had been issued previously.
According to Fortinet, in the last 24 hours there have been cases where the exploit succeeded on devices that were fully upgraded to the latest release at the time of the attack. The attackers are logging in with generic cloud-themed accounts such as cloud-noc@mail[.]io and cloud-init@mail[.]io, establishing persistence by creating local administrative accounts, often named audit, backup, itadmin, secadmin or support.
They also appear to have switched to using Cloudflare-protected IPs, with observed addresses including 104.28.244[.]115 and 104.28.212[.]114. Fortinet recommends immediately disabling the vulnerable FortiCloud SSO feature if it is not strictly necessary, and administratively restricting access to trusted internal IPs with a local-in policy, for example via the CLI command set admin-forticloud-sso-login disable.