Rob Wright , Senior News Director , Dark Reading January 22, 2026 4 Min Read Source: Skorzewiak via Alamy Stock Photo UPDATE A threat actor has been compromising Fortinet firewalls through single sign-on (SSO) logins over the past week, raising the specter that a previously disclosed and mitigated authentication bypass vulnerability wasn't adequately patched. Researchers with Arctic Wolf Labs observed malicious activity beginning on Jan. 15 that involved SSO logins and unauthorized configuration changes to FortiGate devices . After logging into the devices, an unidentified threat actor created generic accounts, granted VPN access to those accounts, and then exfiltrated the firewall configurations, Arctic Wolf Labs wrote in a blog post Wednesday. The activity, which the researchers suspect was automated, is similar to a threat campaign that Arctic Wolf documented in December following the disclosure of two critical Fortinet vulnerabilities, CVE-2025-59718 and CVE-2025-59719. Fortinet released patches for the two flaws, but CVE-2025-59718 — which allows attackers to bypass FortiCloud SSO login authentication — was exploited in the wild later that month. The US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog a few days after Arctic Wolf's initial report in December. The malicious activity coincides with unconfirmed reports this week by users of malicious SSO logins on FortiGate devices that were patched for CVE-2025-59718. Several users on the r/Fortinet subreddit have in recent days reported compromises of firewalls that had been updated to fixed FortiOS versions, raising concerns the patches did not fully mitigate the vulnerability. "It is not known at this time whether the latest threat activity observed is fully covered by the patch that initially addressed CVE-2025-59718 and CVE-2025-59719," Arctic Wolf Labs warned in the blog post. The research team tells Dark Reading that it was unable to determine if a patch bypass has been exploited. "We are aware of independent reports that fully patched devices have been affected by the latest cluster of threat activity, but we are not able to definitively confirm this to be the case," Arctic Wolf Labs says. Dark Reading contacted Fortinet for comment, but the company did not respond at press time. In a blog post published on Thursday evening, Fortinet Chief Information Security Officer (CISO) Carl Windsor confirmed the new wave of malicious SSO logins stemmed from incomplete patches for CVE-2025-59718 and CVE-2025-59719. "Recently, a small number of customers reported unexpected login activity occurring on their devices, which appeared very similar to the previous issue," Windsor wrote. "However, in the last 24 hours, we have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path." Windsor said Fortinet product security identified the issue and is working on a new fix. He added that while only malicious FortiCloud SSO logins have been observed, the issue affects "all SAML SSO implementations." Possible Automated Attacks on Fortinet Firewalls After the threat actor achieved access to devices through SSO, additional malicious activity — from multiple account creations to exfiltrating configuration data — was conducted rapidly, according to Arctic Wolf Labs. "Follow-up activities on compromised firewall accounts occurred within seconds of each other, indicating the potential of automated activity," according to the blog post. Arctic Wolf Labs says the cluster of malicious activity unfolded in a short time frame across several regions. However, the research team says there's no specific indication that AI was used to conduct the campaign. The configuration data was exfiltrated to a handful of IP addresses. To protect themselves, the research team urged Fortinet customers to restrict access to firewall and VPN management interfaces to trusted internal networks. If malicious logins are detected on devices, administrators should assume hashed firewall credentials have been compromised and reset those credentials immediately. Arctic Wolf Labs researchers said the threat actors have been known to crack hashes offline, especially weak credentials vulnerable to dictionary attacks . "Given that the threat activity described in this campaign involves malicious SSO logins, the following workaround offered by Fortinet for CVE-2025-59718 and CVE-2025-59719 may be worth considering," they wrote, urging customers to temporarily disable the FortiCloud SSO login feature on their devices. The malicious SSO logins mark the latest threat facing Fortinet customers this year. Last week, a critical vulnerability impacting the FortiSIEM platform, CVE-2025-64155, was exploited in the wild . This story was updated at 7:45 a.m. ET on January 23 to reflect new statements from Fortinet CISO Carl Windsor. About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area. See more from Rob Wright