Enemy at the FortiGates: Fortinet Devices Remain Vulnerable

This report is distributed as TLP:CLEAR. Recipients may share this information without restriction. Information is subject to standard copyright rules. 

Starting 15 January 2026, security researchers at Arctic Wolf identified the compromise of fully-patched Fortinet FortiGate devices where attackers likely exploited the FortiCloud single sign-on (SSO) service. 

On 22 January 2026, Fortinet acknowledged there is an active security issue with FortiCloud SSO that was not addressed in the December 2025 security patches for vulnerabilities CVE-2025-59718 and CVE-2025-59719. Fortinet urges customers to implement mitigations against this attack as a security patch is not available at the time of publication. 

On 9 December 2025, Fortinet released patches to address two critical vulnerabilities (CVE-2025-59718 and CVE-2025-59719) affecting FortiOS (used by FortiGate), FortiWeb, FortiProxy, and FortiSwitchManager. The vulnerabilities were in FortiCloud’s SSO service where an attacker could bypass authentication by sending a specially-crafted SAML request to gain administrative access. 

Since 15 January 2026, Arctic Wolf observed malicious SSO authentications from accounts [email protected] and [email protected] to FortiGate devices. After successful compromise, attackers created additional accounts for persistence and exfiltrated firewall configuration files. The authentications originated from IPs provided by the hosting providers Cloudflare (AS13335), Galeon (AS209290), and HVC (AS29802). CSIRT Italy also corroborated this renewed exploitation activity. 

On 22 January 2026, Fortinet’s security team (PSIRT) published an initial analysis of the security incidents reported by Arctic Wolf, noting “the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path.” 

At the time of publication, there is neither an available security patch nor published CVE for Fortinet products affected by this new FortiCloud SSO vulnerability. Instead, Fortinet recommends implementing mitigations to disable FortiCloud SSO and further restrict administrative console access to internal networks. 

CyberAlberta Threat Intelligence identified Fortinet assets in Alberta, although it is not clear what versions are installed or if the FortiCloud SSO login feature is enabled. 

CyberAlberta Threat Intelligence assesses it is likely that all versions of Fortinet products with the FortiCloud SSO service enabled remain vulnerable to an authentication bypass. If the FortiCloud SSO service is enabled, check for indicators of compromise and implement Fortinet’s recommended mitigations.