Automated attacks targeting Fortinet FortiGate devices have been reported, leading to the unauthorized creation of accounts and theft of firewall configuration data. This campaign began on January 15, 2026, as per a report from cybersecurity firm Arctic Wolf.
The attackers are exploiting an unpatched vulnerability in the devices' single sign-on (SSO) feature, which has previously been linked to a critical flaw identified as CVE-2025-59718. This specific vulnerability allows for an authentication bypass via malicious SAML messages, posing significant risks to users.
Fortinet is aware of the situation, with reports indicating that the latest version of FortiOS (7.4.10) does not completely resolve the authentication issues from earlier patches. Upcoming releases, including FortiOS 7.4.11 and 7.6.6, are anticipated to address these concerns fully. Users are advised to disable FortiCloud SSO temporarily to mitigate the risk of further attacks until a comprehensive solution is implemented.