Security Operations, SOC, Vulnerability Management, Patch/Configuration Management, Network Security, Endpoint/Device Security, Application security

Patched FortiGate bug targeted in new wave of automated attacks

(Adobe Stock)

A series of highly automated, but not necessarily AI-enabled, attacks on Fortinet FortiGate firewalls were observed for the past week that set up rogue accounts and steal firewall configurations.

In a Jan. 21 blog, Arctic Wolf researchers said the attacks are similar to incidents reported on last month following the disclosure and patch of a critical 9.8 authentication bypass bug — CVE-2025-59718 — a flaw that also landed on CISA’s Known Exploited Vulnerabilities (KEV) catalog.

BleepingComputer also reported that affected administrators said Fortinet admitted that the latest FortiOS version (7.4.10) doesn't fully address the authentication bypass flaw, which should have already been patched since early December with the release of FortiOS 7.4.9.

In response to concern in the industry, Fortinet reportedly plans to release FortiOS 7.4.11, 7.6.6, and 8.0.0 over the next few days to fully address the CVE-2025-59718 security flaw.

“The recent breach of Fortinet FortiGate devices signals a concerning escalation in perimeter attacks,” said Damon Small, board member at Xcape, Inc. “Instead of manual exploitation, attackers are now using high-speed automation to harvest firewall configurations. This automated approach lets threat actors scan, exploit, and steal sensitive network maps far more efficiently than human-led response teams can manage.”

Small said stealing firewall configurations is especially damaging because it essentially offers attackers a blueprint of an organization's internal network This reveals segmentation weaknesses and enables precise planning for lateral movement.

Mark Townsend, chief technology officer at AcceleTrex, added that automation collapses the breach timeline from hours to seconds.

“That’s the real danger here: humans simply can’t react quickly enough,” said Townsend. “Firewall configurations are often the keys to the kingdom. They don’t just contain rules, they often reveal how a network truly works. Many admins leave comments, service names, and policy descriptions that give attackers a ready‑made blueprint of what’s important, where critical services live, and which paths are most valuable to target next.”

Townsend said security teams should act like they’ve already compromised and take these immediate steps:

  • Disable FortiCloud SSO: This is the primary attack path in the campaign, so turn it off until patched firmware is confirmed effective. 
  • Scan for known IOCs: Look for suspicious SSO logins using accounts like [email protected], rapid config exports, and newly- created admin users such as secadmin, itadmin, support, backup, or remoteadmin. 
  • Assume credential exposure: If configs were exfiltrated, rotate all credentials stored on the device; attackers often crack exported password hashes offline.
  • Lock down the management plane: Restrict admin access to internal networks only; no internet‑exposed GUI or APIs. 
  • Prepare to upgrade: Fortinet will release updated firmware (e.g., 7.4.11, 7.6.6, 8.0.0) to fully address the bypass. Apply as soon as verified safe.
  • Compare current configs to known‑good backups: Pull a diff and match changes against legitimate change‑control records. Unauthorized rule edits, new admin accounts, logging destination changes, or subtle VPN tweaks are strong indicators of attacker persistence.

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds