January 23, 2026 Fortinet is warning customers that attackers are actively breaking into FortiGate firewalls through a fast-moving, automated campaign tied to flaws in FortiCloud single sign-on. The campaign is targeting firewalls even in environments that appear to be fully patched.
Security firm Arctic Wolf says it began detecting the activity on Jan. 15, when threat actors started slipping past authentication controls, pulling full device configurations, and planting backdoor administrator accounts within seconds. The attacks are hitting internet-exposed FortiGate devices at scale, raising concerns that a previously disclosed vulnerability or a close variant of it remains exploitable despite recent fixes.
The campaign traces back to two critical authentication bypass bugs Fortinet disclosed in December, tracked as CVE-2025-59718 and CVE-2025-59719. Those flaws allow unauthenticated attackers to abuse crafted SAML messages to gain administrative access when FortiCloud SSO is enabled. At the time, Fortinet issued patches across multiple products, including FortiOS, FortiProxy, FortiWeb, and FortiSwitchManager.
What has alarmed defenders is that the latest intrusions are being observed on systems running updated firmware, including FortiOS 7.4.9, 7.4.10, and 7.6.x. Arctic Wolf and Field Effect both report seeing compromises on devices that should, on paper, no longer be vulnerable.
The configuration files being stolen are particularly valuable. They can contain hashed credentials, VPN settings, and network topology details that allow attackers to crack passwords offline and pivot deeper into corporate networks. In many cases, the newly created administrator accounts are configured with VPN access.
The attacks appear indiscriminate, sweeping across any reachable FortiGate device with FortiCloud SSO enabled. Prior internet scans suggested that more than 25,000 devices could be exposed, giving threat actors a large pool of potential targets. Security teams are being urged to assume compromise if any suspicious SSO activity is detected.
Having acknowledged active exploitation, Fortinet says it will continue to investigate whether current patches fully address the issue. The company’s earlier advisory outlined which versions were affected and which releases contained fixes, but the January activity has complicated that picture. Researchers say the behavior closely mirrors what they observed immediately after the December disclosure, though the precise initial access mechanism has not yet been confirmed.
Defenders are advising organizations to review FortiGate logs for unusual SSO logins, unexpected configuration exports, or the sudden appearance of generic administrator accounts. As an added precaution, many incident responders are recommending disabling FortiCloud SSO entirely until Fortinet confirms the issue is fully contained. Other recommendations include resetting all credentials and locking down management interfaces to internal networks only.
