- Hackers exploit Fortinet FortiGate SSO bug to steal firewall configuration data
- FortiOS 7.4.10 patch incomplete; new versions planned to fully fix vulnerability
- Stolen firewall data exposes network topology, VPNs, and security rules for further attacks
Cybercriminals seem to be taking advantage of a hole in a recent patch for Fortinet FortiGate instances, and are exploiting the vulnerability to create administrator accounts and steal firewall configuration data.
Security researchers at Arctic Wolf said they saw hackers abusing a bug in the single sign-on (SSO) feature to create accounts and export firewall configurations, most likely via an automated script.
The activity is akin to one observed in December, when threat actors abused two flaws – CVE-2025-59718, and CVE-2025-59719.
New versions in the pipeline
“While the parameters of initial access details have not been fully confirmed, the current campaign bears similarity to a campaign described by Arctic Wolf in December 2025,” Arctic Wolf said in its report.
“It is not known at this time whether the latest threat activity observed is fully covered by the patch that initially addressed CVE-2025-59718 and CVE-2025-59719.”
Fortinet has apparently confirmed the reports, saying that FortiOS version 7.4.10 does not fully fix the abovementioned vulnerability.
Multiple releases are already in the pipeline, namely 7.4.11, 7.6.6, and 8.0.0, which should fully resolve this issue. These versions are planned to be released in a few days. As per Shadowserver data, there are more than 10,000 vulnerable endpoints out there.
The attacks are quite dangerous. Firewall configuration data reveals the full network topology, security rules, VPN settings, and authentication mechanisms, allowing crooks to identify exposed services, bypass controls, move laterally, and maintain or regain access through VPNs or trusted connections.
The data can also be used to attack connected partner networks or sold to other threat actors.
If your organization is at risk, until Fortinet patches things up, consider temporarily turning off the FortiCloud login feature. You could also run these commands:
config system global
set admin-forticloud-sso-login disable
end
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/oURxQ8dw8TJ2KxmqQDaio6-970-80.jpg
Source link
