Fortinet FortiGate devices are being targeted in automated attacks that create rogue accounts and steal firewall configuration data, according to cybersecurity company Arctic Wolf.

The campaign started last week, on January 15, with the attackers exploiting an unknown vulnerability in the devices' single sign-on (SSO) feature to create accounts with VPN access and exporting firewall configurations within seconds, indicating automated activity.

Arctic Wolf, which reported these incidents on Wednesday, says the attacks are very similar to incidents it documented in December following the disclosure of a critical authentication bypass vulnerability (CVE-2025-59718) in Fortinet products.

That flaw allows unauthenticated attackers to bypass SSO authentication on vulnerable FortiGate firewalls via maliciously crafted SAML messages when FortiCloud SSO features are enabled.

"While the parameters of initial access details have not been fully confirmed, the current campaign bears similarity to a campaign described by Arctic Wolf in December 2025," Arctic Wolf said. "It is not known at this time whether the latest threat activity observed is fully covered by the patch that initially addressed CVE-2025-59718 and CVE-2025-59719."

Arctic Wolf's advisory follows a wave of reports from Fortinet customers about attackers likely exploiting a patch bypass for the CVE-2025-59718 vulnerability to hack patched firewalls.

Affected admins said that Fortinet reportedly confirmed that the latest FortiOS version (7.4.10) doesn't fully address the authentication bypass flaw, which should have already been patched since early December with the release of FortiOS 7.4.9.

Fortinet is also allegedly planning to release FortiOS 7.4.11, 7.6.6, and 8.0.0 over the coming days to fully address the CVE-2025-59718 security flaw.

Affected Fortinet customers also shared logs showing that the attackers created admin users after an SSO login from [email protected] on IP address 104.28.244.114, which matches indicators of compromise detected by Arctic Wolf while analyzing ongoing FortiGate attacks and previous exploitation the cybersecurity firm observed in December.

Disable FortiCloud SSO to block attacks

Until Fortinet fully patches FortiOS against these ongoing attacks, admins can secure their firewalls by temporarily turning off the vulnerable FortiCloud login feature (if enabled) by going to System -> Settings and switching "Allow administrative login using FortiCloud SSO" to Off.

Another option is to run the following commands from the command-line interface:

config system global
set admin-forticloud-sso-login disable
end

Internet security watchdog Shadowserver is currently tracking nearly 11,000 Fortinet devices that are exposed online and have FortiCloud SSO enabled.

CISA has also added CVE-2025-59718 to its catalog of flaws exploited in attacks on December 16 and has ordered federal agencies to patch within a week.

BleepingComputer reached out to Fortinet multiple times this week with questions about these FortiGate attacks, but the company has yet to reply.