Fortinet Firewalls Hit With Malicious Configuration Changes

Possible Automated Attacks on Fortinet Firewalls

Automated infections are targeting FortiGate firewalls, resulting in the theft of firewall configuration files. Threat actors are exploiting Single Sign-On (SSO) logins, potentially bypassing patches for CVE-2025-59718 and CVE-2025-59719.

Why This Matters

Ideal security models assume complete patch coverage and robust authentication. However, incomplete patching and potential bypasses of critical vulnerabilities like CVE-2025-59718 demonstrate the reality of persistent threats. The compromise of firewall configurations can lead to widespread network breaches and data exfiltration, costing organizations significant financial and reputational damage.

Key Insights

• CVE-2025-59718 & CVE-2025-59719, December 2025: Critical Fortinet vulnerabilities allowing SSO bypass.
• Automated Activity: Follow-up actions after SSO access occurred within seconds, indicating automation.
• SAML SSO Impact: The issue affects all SAML SSO implementations, not just FortiCloud SSO.

Practical Applications

• Use Case: Organizations using FortiGate firewalls with SSO authentication are at risk of configuration theft and network compromise.
• Pitfall: Assuming a patch fully mitigates a vulnerability without thorough verification; attackers may find bypasses.

References:

• https://www.darkreading.com/cloud-security/fortinet-firewalls-malicious-configuration-changes