New Wave of Attacks Targeting FortiGate Firewalls
securityweek
Threat actors are making configuration changes to FortiGate firewalls in a new wave of attacks reminiscent of a December 2025 campaign, security researchers warn.
Over the past week, Arctic Wolf observed automated attacks targeting FortiGate devices to create new user accounts, modify configurations for VPN access, and exfiltrate firewall data.
The activity, the cybersecurity firm notes, is similar to a month-old campaign targeting CVE-2025-59718 and CVE-2025-59719 (CVSS score of 9.8), two critical-severity authentication bypass vulnerabilities in Fortinet products.
The bugs, the vendor said in early December, allow attackers to bypass the FortiCloud SSO login authentication via crafted SAML response messages.
While the FortiCloud login feature is disabled by default, it is enabled when registering a new device to FortiCare from the device’s UI, unless the administrator specifically disables it.
Roughly a week later, Arctic Wolf warned that threat actors started exploiting the security defects against FortiGate firewalls three ...
Copyright of this story solely belongs to securityweek . To see the full text click HERE