Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations CVE-2025-59718 (CVSS 9.8)

Estimated Reading Time: 8 minutes

Key Takeaways:

  • Critical unauthenticated SSO bypass vulnerability (CVE-2025-59718) is being actively exploited in the wild.
  • Attackers are automating the creation of rogue “cloud-init@mail.io” administrative accounts.
  • Firewall configuration files are being exfiltrated, exposing sensitive network topology and secrets.
  • Disabling the admin-forticloud-sso-login feature is the recommended immediate mitigation.

Table of Contents

On January 15, 2026, a new cluster of automated malicious activity was detected targeting Fortinet FortiGate appliances. This campaign involves unauthorized configuration changes and the creation of rogue administrative accounts. The primary vector for this activity is the exploitation of the FortiCloud Single Sign-On (SSO) feature. Organizations utilizing Fortinet security products are currently facing automated FortiGate attacks exploit FortiCloud SSO to alter firewall configurations, specifically targeting vulnerabilities identified as CVE-2025-59718 and CVE-2025-59719.

Analysis indicates that these attacks are highly similar to a threat cluster observed in December 2025. The current activity leverages an unauthenticated bypass of SSO authentication. By utilizing crafted Security Assertion Markup Language (SAML) messages, threat actors can bypass security checkpoints when the FortiCloud SSO feature is active on a device. These vulnerabilities impact several components of the Fortinet ecosystem, including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.

Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations

The mechanism of these automated FortiGate attacks exploit FortiCloud SSO to alter firewall configurations relies on the improper validation of SAML assertions. SAML is an open standard for exchanging authentication and authorization data between parties, in this case, the identity provider (FortiCloud) and the service provider (the FortiGate appliance). When an attacker sends a specifically structured SAML message, the firewall incorrectly validates the identity, granting the attacker administrative access without requiring valid credentials.

Automated attack targeting FortiGate firewall configurations

The observed malicious activity follows a rapid, automated sequence. Within seconds of gaining access, threat actors perform the following actions:

  • Creation of a generic administrative account, frequently using the identifier “cloud-init@mail.io”.
  • Modification of firewall configurations to grant VPN access to these newly created accounts.
  • Exfiltration of the full firewall configuration file via the management GUI.

These steps suggest a coordinated effort to establish long-term persistence and gather intelligence for secondary attacks. The exfiltration of configuration files is particularly critical, as these files contain sensitive information regarding network topology, internal IP schemes, and cryptographic secrets. Such data is often traded on underground forums, making an underground forum intelligence capability essential for identifying if an organization’s internal data has been exposed.

Technical Analysis of CVE-2025-59718 and CVE-2025-59719

CVE-2025-59718 carries a CVSS score of 9.8, classifying it as a critical vulnerability. It represents a logic flaw in how FortiOS processes SAML responses. Because the bypass is unauthenticated, any device with the “admin-forticloud-sso-login” setting enabled and exposed to the internet is a potential target.

The automation of these attacks is evidenced by the speed of execution. Logs from affected devices show that account creation and configuration export occur almost simultaneously across multiple targets. This indicates the use of scripted exploitation tools that scan for vulnerable instances and execute a predetermined payload. To counter such rapid movements, organizations require real-time ransomware intelligence and breach detection systems that can identify anomalous administrative logins in real-time.

Data from the Shadowserver Foundation suggests that approximately 11,000 Fortinet devices currently have FortiCloud SSO enabled and are reachable via the public internet. This large attack surface provides ample opportunity for threat actors to refine their automated scripts. Furthermore, reports from the cybersecurity community indicate that the patch provided in FortiOS version 7.4.10 may not fully remediate the flaw, or that a secondary bypass has been discovered. This underscores the risk associated with supply-chain risk monitoring when relying on vendor-supplied patches that may require multiple iterations to be effective.

Indicators of Compromise (IoC)

Analysis of recent incidents has identified several IP addresses associated with the automated exploitation of FortiGate devices. These include:

  • 104.28.244.115
  • 104.28.212.114
  • 217.119.139.50
  • 37.1.209.19

The presence of these IP addresses in firewall logs, especially in conjunction with the “cloud-init@mail.io” username, is a definitive indicator of compromise. Organizations should monitor their environments for these identifiers using a cyber threat intelligence platform. Additionally, monitoring for logins from unexpected hosting providers or geolocations to administrative interfaces is a standard defensive measure.

The Role of SSO in Modern Infrastructure Risk

Single Sign-On is implemented to simplify credential management, but in this instance, it has become a single point of failure. When an SSO implementation such as FortiCloud is compromised or contains a bypass vulnerability, the security of every downstream device is negated. This campaign demonstrates that threat actors are prioritizing identity-based attacks to circumvent traditional perimeter defenses.

For organizations managing a large fleet of firewalls, the risk is compounded. Automated tools can alter the configurations of dozens of devices in the time it takes an analyst to respond to a single alert. This emphasizes the need for a live ransomware API that can feed threat data directly into security orchestration tools, allowing for the automated isolation of compromised appliances.

The exfiltration of configuration files also leads to long-term risk. Once an attacker understands the internal routing and security policies of a network, they can plan more sophisticated lateral movement. Information regarding these leaks often surfaces through brand leak alerting services, which track the unauthorized distribution of corporate data.

Connection to Broad Threat Activity

The current campaign targeting FortiGate devices does not exist in isolation. Threat actors often use such vulnerabilities to gain an initial foothold before deploying more destructive payloads, such as ransomware. By monitoring telegram threat monitoring channels, security researchers have noted an increase in discussions regarding FortiOS SAML exploitation techniques among various threat groups.

Furthermore, a dark web monitoring service can provide insight into whether specific firewall configurations are being sold as “access as a service.” Attackers who successfully export configurations can sell this data to other groups, who then use the modified VPN settings to enter the network without triggering traditional brute-force alarms.

Technical Takeaways for Engineers

For technical teams responsible for maintaining Fortinet infrastructure, the following facts and actions are critical:

  • Verification of Configuration: The presence of set admin-forticloud-sso-login enable in the global system configuration indicates vulnerability.
  • Immediate Mitigation: Disable the FortiCloud SSO login feature via the CLI: 
    config system global
set admin-forticloud-sso-login disable
end
  • Log Auditing: Review type=event logs for action=login events associated with the SSO process. Search for the user cloud-init@mail.io.
  • Configuration Integrity: Compare current configuration backups with those from prior to January 15, 2026. Look for unauthorized config vpn ssl web user entries.

Strategic Takeaways for Business Leaders

Business leaders must understand that the impact of a firewall compromise extends beyond a simple hardware issue:

  • Data Privacy Risks: A configuration file contains the blueprints of your digital environment. If stolen, it provides a map for future breaches.
  • Compliance Implications: Failure to address a known exploited vulnerability can have regulatory consequences, particularly for those in the federal supply chain.
  • Operational Continuity: Automated changes can lead to sudden network outages or the unauthorized exposure of internal services.
  • Resource Allocation: Investing in a cyber threat intelligence platform can help prioritize vulnerabilities based on active exploitation data.

PurpleOps Expertise in Network Security

PurpleOps provides comprehensive solutions to address critical vulnerabilities like CVE-2025-59718. Our team specializes in penetration testing and red team operations designed to identify weak points in SSO implementations and perimeter security.

Our cyber threat intelligence services provide the real-time data necessary to track moving threats. We monitor underground forum intelligence and offer a dark web monitoring service to ensure that if your firewall configurations are leaked, you are alerted immediately.

For organizations concerned about the security of their supply chain, PurpleOps offers specialized supply-chain risk monitoring. This service evaluates the security posture of the vendors and hardware you rely on, providing a clear picture of the risks inherent in your infrastructure choices.

To learn more about how to secure your network infrastructure, visit our services page or contact our team directly through the PurpleOps platform.

Frequently Asked Questions

What is CVE-2025-59718?
It is a critical vulnerability (CVSS 9.8) in Fortinet appliances that allows an unauthenticated attacker to bypass SSO authentication via crafted SAML messages and gain administrative access.

How do I know if I have been attacked?
Check your logs for the creation of an administrative account named “cloud-init@mail.io” and look for unauthorized login events from the IP addresses 104.28.244.115 or 37.1.209.19.

Is patching to FortiOS 7.4.10 enough?
While patching is recommended, there are reports that the current patch may not fully remediate the issue or that secondary bypasses exist. Disabling the admin-forticloud-sso-login feature is the most secure immediate action.

What is the main risk of config file exfiltration?
Exfiltrated configuration files contain your entire network map, internal IP addresses, and cryptographic secrets, which can be used to plan sophisticated lateral movement or sold on the dark web.