TL;DR: Attackers are actively compromising FortiGate firewalls, including devices that were supposedly patched in December 2025. Fortinet's patch didn't work. At least 11,000 internet-facing FortiGate devices using SAML SSO are exposed. Attackers are creating backdoor admin accounts with names like "helpdesk" and "support," exfiltrating firewall configurations (with credentials), and spinning up VPN accounts, all in seconds. If you're running FortiGate with SSO enabled, disable it now and assume you've been compromised.

What's Happening

Starting January 15, 2026, security researchers at Arctic Wolf Labs observed a wave of automated attacks targeting FortiGate firewalls.[1] The attackers exploited authentication bypass vulnerabilities CVE-2025-59718 and CVE-2025-59719 to gain admin access without credentials.

The problem: Fortinet patched these vulnerabilities in December 2025. Devices running the "fixed" versions (7.4.9+, 7.2.12+, 7.0.18+, and 7.6.4+) are still getting compromised.[2]

Huntress Labs confirmed the attacks hit devices running version 7.4.9 and later. Reddit administrators reported the same thing: patched systems, still hacked.[2]

Fortinet acknowledged on January 23, 2026, that attackers found a new path around their December patch. A real fix is "in progress."[3]

How the Attack Works

Attackers are sending crafted SAML authentication responses to FortiGate's single sign-on (SSO) interface. The malicious responses bypass normal authentication and grant admin access.[1]

Once inside, attackers move fast. Automation handles the heavy lifting:

  • Create backdoor accounts: Generic names like "helpdesk," "secadmin," "itadmin," "support," "backup," "remoteadmin," "audit"
  • Export device configurations: Full config files containing hashed credentials
  • Modify firewall rules: Opening access for persistence
  • Spin up VPN accounts: Remote access that survives reboots

Arctic Wolf described the activity as happening "in a matter of seconds."[3] This isn't a targeted attack. It's automated mass exploitation.

Who's Affected

Shadowserver identified approximately 11,000 internet-facing FortiGate devices with FortiCloud SSO enabled.[2] All of these are potential targets.

Fortinet says the vulnerability affects "all SAML SSO implementations," not just FortiCloud. If your FortiGate uses SAML for authentication, assume you're at risk.[3]

The attacks originate from DigitalOcean, Kaopu Cloud HK, and Cloudflare IP addresses. The primary target account is [email protected].[2]

Timeline

  • December 2025: Fortinet releases patches for CVE-2025-59718 and CVE-2025-59719
  • December 30, 2025: Organizations upgrade to "patched" versions
  • January 15, 2026: Arctic Wolf Labs observes new exploitation wave
  • January 21-22, 2026: Reports emerge of compromises on fully patched systems
  • January 23, 2026: Fortinet confirms attackers found new bypass, says fix is coming

What To Do Right Now

Disable FortiCloud SSO

Turn off SAML SSO login immediately until Fortinet releases a working patch.

Assume Compromise

If you had SSO enabled, assume credentials were exfiltrated. Reset all hashed passwords stored in device configs.

Lock Down Management

Restrict management interface access to trusted internal IPs only via local-in policies. Block internet access to admin panels.

Hunt for Backdoors

Check for unauthorized admin accounts with generic names. Remove any you didn't create. Review recent config changes.

Rotate LDAP/Active Directory credentials connected to FortiGate devices. If attackers got your firewall config, they got your AD integration credentials too.[2]

Signs You've Been Compromised

  • New admin accounts you didn't create (especially generic names)
  • Config changes in the last 10 days you can't explain
  • Logins from unexpected IPs (check DigitalOcean, Kaopu Cloud HK, Cloudflare ranges)
  • New VPN accounts or modified VPN configurations
  • Evidence of configuration exports via the web GUI

The Bigger Picture

This is the second time in five years Fortinet has dealt with critical authentication bypass issues in FortiGate. CVE-2020-12812, a five-year-old 2FA bypass flaw, is still being exploited on over 10,000 devices.[4]

APT groups (including Russian SVR operators and Iranian state hackers) have used Fortinet vulnerabilities. Ransomware groups like Conti, REvil, Hive, and Cring all exploit FortiGate when they can.[4]

Enterprise firewalls are prime targets. They sit on network boundaries, handle authentication, and contain credentials. One compromised firewall = full network access.

The pattern repeats: critical vulnerability disclosed, patch released, attackers find bypass, organizations scramble. Meanwhile, automated exploitation campaigns compromise thousands of devices before anyone can react.

The Bottom Line

If you're running FortiGate with SAML SSO, you're in a rough spot. The patch Fortinet released in December didn't fully work. A real fix isn't out yet.

Disable SSO now. Check for backdoor accounts. Assume your credentials are compromised and rotate them. Wait for an actual working patch before re-enabling.

11,000+ devices are exposed. Attackers are automated. You probably don't have days to decide.

References

  1. Rapid7 - Critical Vulnerabilities in Fortinet CVE-2025-59718, CVE-2025-59719 Exploited in the Wild
  2. Help Net Security - Fully Patched FortiGate Firewalls Are Getting Compromised (January 21, 2026)
  3. The Register - Fortinet Admits FortiGate SSO Bug Still Exploitable Despite December Patch (January 23, 2026)
  4. Eclypsium - Fortinet Under Fire: Network Edge Attacks Start Strong in 2026
  5. BleepingComputer - Over 10K Fortinet Firewalls Exposed to Actively Exploited 2FA Bypass