This activity shares some similarities with a campaign that researchers at Arctic Wolf identified in December. That campaign started soon after Fortinet disclosed two authentication bypass flaws (CVE-2025-59718 and CVE-2025-59719).
UPDATE--Researchers are watching a new stream of automated malicious activity that is actively targeting Fortinet FortiGate devices. The campaign, which began on Jan. 15, is notable for its automated approach to unauthorized firewall configuration changes, suggesting a sophisticated, large-scale exploitation effort.
On Thursday afternoon, Fortinet released a blog post addressing the exploitation activity, and said that it is the result of a new attack path.
"Recently, a small number of customers reported unexpected login activity occurring on their devices, which appeared very similar to the previous issue. However, in the last 24 hours, we have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path," the post says.
"Fortinet product security has identified the issue, and the company is working on a fix to remediate this occurrence. An advisory will be issued as the fix scope and timeline is available. It is important to note that while, at this time, only exploitation of FortiCloud SSO has been observed, this issue is applicable to all SAML SSO implementations."
Campaign Details
This activity shares some similarities with a campaign that researchers at Arctic Wolf identified in December. That campaign started soon after Fortinet disclosed two authentication bypass flaws (CVE-2025-59718 and CVE-2025-59719).
“The vulnerabilities allow for unauthenticated bypass of SSO login authentication via crafted SAML messages when the FortiCloud SSO feature is enabled on affected Devices. Several product lines were reported to be affected, including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager,” Arctic Wolf Labs researchers said in an analysis of the new activity.
The new campaign involves several key steps designed for persistence and lateral movement:
While the initial access method is still unconfirmed, the current activity shares distinct similarities with the December campaign. That campaign involved malicious SSO login activity on administrator accounts, followed by unauthorized configuration changes and data exfiltration.
Connection to Previous Vulnerabilities
This latest threat follows the disclosure of the two critical authentication bypass vulnerabilities by Fortinet in early December. Affected products reportedly included FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. Arctic Wolf had previously observed intrusions leveraging malicious SSO logins shortly after the advisory's release.
It’s not clear right now whether the new attack activity bypasses the patches for those previously disclosed flaws, but researchers say they are seeing fully patched FortiGate devices being exploited in the new campaign. Fortinet administrators are reporting the same activity, successful attacks against fully updated FortiGate devices.
Threat actors frequently focus on the management interfaces of firewalls and VPNs for mass exploitation, often using specialized search engines to locate specific, vulnerable hardware configurations globally.
Security Recommendations
In light of the ongoing threats, and echoing previous warnings about campaigns such as "Console Chaos," Arctic Wolf advises organizations to prioritize security best practices:
This story was updated on Jan. 22 to include information from Fortinet's PSIRT post.
