What data was compromised in this incident?

Hackers exported firewall configuration files, which may contain sensitive security policies, credentials, and network topology information.

What immediate steps should defenders take following this breach?

Admins should disable FortiCloud SSO, monitor for rogue accounts, apply new patches promptly, and audit device configurations for unauthorized changes.

This entry was generated by Aviatrix’s agentic AI workflow using verified public sources. It has not been reviewed or confirmed by human analysts. This content is provided for research and awareness only and should not be used as the sole basis for security, operational, or policy decisions. The entry may be updated as verification progresses or new information emerges. Aviatrix disclaims all liability for any and all damages resulting from decisions based on this entry.

Fortinet 2026 Breach: Authentication Bypass Leads to Firewall Configuration Theft

Attackers exploited a critical authentication bypass on FortiGate devices, enabling swift theft of firewall configs—even from patched systems. Discover the incident’s impact and defense strategies.

Published: January 22, 2026

Share this on:

Executive Summary

In January 2026, Fortinet FortiGate devices became the target of a coordinated cyberattack exploiting an authentication bypass vulnerability (CVE-2025-59718) associated with the FortiCloud SSO feature. Attackers accessed vulnerable firewalls, created rogue administrative accounts, and swiftly exfiltrated firewall configuration data using automated tools, demonstrating significant threat actor sophistication. Reports indicated the campaign began on January 15, 2026, and quickly escalated as even patched devices were compromised—suggesting a patch bypass or incomplete remediation. Affected organizations faced exposure of sensitive security configurations and heightened risk of follow-on breaches or lateral movement within their networks.

This incident spotlights the urgent challenges posed by cloud-exposed assets and incomplete vulnerability remediation. It emphasizes the criticality of rapid patch cycles, zero trust principles, and robust monitoring amid a trend of identity and configuration–focused attacks targeting enterprise infrastructure platforms.

Why This Matters Now

Attackers are rapidly exploiting incomplete patches and authentication flaws in widely deployed network devices, enabling unauthorized access and data theft at scale. As organizations increasingly depend on cloud-linked admin features, the urgency to address exposure, enforce segmentation, and close identity-driven attack paths has never been higher.

Attack Path Analysis

Attackers exploited a Fortinet FortiGate authentication bypass vulnerability in the SSO feature to gain initial access to firewall devices. They quickly escalated privileges by creating rogue admin accounts via the exposed SSO. No significant lateral movement was observed, as the attack focused on direct access. Malicious accounts provided attackers an encrypted channel for command and control to automate configuration export. Firewall configurations were exfiltrated over the existing VPN/tunnel, risking sensitive credentials and network mapping. The main impact was exposure of internal firewall configurations and potential for follow-on attacks, with no immediate destructive activity reported.

Kill Chain Progression

Initial Compromise

Highinferred

Privilege Escalation

High

Lateral Movement

Medium

Command & Control

Medium

Exfiltration

High

Impact

Medium

Initial Compromise

Description

Exploitation of an authentication bypass vulnerability (CVE-2025-59718) in FortiGate's SSO feature enabled attackers to gain unauthorized access.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2025-59718
CVSS 9.8
An improper verification of cryptographic signature vulnerability in Fortinet products allows unauthenticated attackers to bypass FortiCloud SSO login authentication via crafted SAML response messages.
Affected Products:
Fortinet FortiOS – 7.6.0 through 7.6.3, 7.4.0 through 7.4.8, 7.2.0 through 7.2.11, 7.0.0 through 7.0.17
Fortinet FortiProxy – 7.6.0 through 7.6.3, 7.4.0 through 7.4.10, 7.2.0 through 7.2. ... , 7.0.0 through ...
Fortinet FortiSwitchManager – 7.2.0 through ... , 7.0.0 through ...
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2025-59718 https://fortiguard.fortinet.com/psirt/FG-IR-25-647 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59718
CVE-2025-59719
CVSS 9.8
An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb allows unauthenticated attackers to bypass FortiCloud SSO login authentication via crafted SAML response messages.
Affected Products:
Fortinet FortiWeb – 8.0.0, 7.6.0 through ... 4, 7.4.0 through ...
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2025-59719 https://fortiguard.fortinet.com/psirt/FG-IR-25-648 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59719

MITRE ATT&CK® Techniques

Techniques selected for initial mapping; expansion to full STIX/TAXII dataset available in GA release.

Initial Access

T1190

Exploit Public-Facing Application

Persistence

T1556.004

Modify Authentication Process: Single Sign-On

Credential Access

T1078

Valid Accounts

Persistence

T1136.001

Create Account: Local Account

Impact

T1565.001

Data Manipulation: Stored Data Manipulation

Collection

T1005

Data from Local System

Exfiltration

T1020

Automated Exfiltration

Defense Evasion

T1070.004

Indicator Removal: File Deletion

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Authentication and Access Control for All System Components

Control ID: 8.2.2

Attackers bypassed authentication controls and created rogue accounts, highlighting failures in robust authentication and access management for administrative interfaces.

NYDFS 23 NYCRR 500 – Cybersecurity Policy & Access Privileges

Control ID: 500.03, 500.07

Exploitation of authentication bypass reflects insufficient controls over privileged account management and inadequate review of access privileges in regulated environments.

DORA (Digital Operational Resilience Act) – ICT Security Policies and Procedures

Control ID: Article 9(2)

Weaknesses in device authentication mechanisms and delayed patching demonstrate insufficient ICT risk protection, in breach of governance and resilience obligations under DORA.

CISA Zero Trust Maturity Model 2.0 – Strong Authentication and Policy Enforcement

Control ID: Identity Pillar - Authentication

Attackers exploited single sign-on flaws to gain unauthorized access, showing a lack of strict authentication controls and adaptive policies outlined in zero trust guidance.

NIS2 Directive – Appropriate Policies for Identity and Access Management

Control ID: Article 21(2)(d)

The breach reveals deficiencies in identity and access management policies and technical controls mandated for critical entities under NIS2.

PCI DSS 4.0 – Logging and Monitoring

Control ID: 10.4.1

Lack of timely detection and response to rogue account creation suggests weaknesses in security event logging and monitoring of critical system activities.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Financial Services

Critical exposure through Fortinet FortiGate authentication bypass enabling attackers to steal firewall configurations, compromise VPN access, and potentially breach financial data protection controls.

Health Care / Life Sciences

Authentication bypass attacks on FortiGate devices threaten HIPAA compliance, patient data security, and healthcare network segmentation through stolen firewall configurations and unauthorized access.

Government Administration

CISA-catalogued vulnerability exploitation targeting government FortiGate devices enables configuration theft, unauthorized VPN access, and potential compromise of sensitive government communications and data.

Computer/Network Security

Direct impact on cybersecurity infrastructure through automated FortiGate attacks exploiting SSO vulnerabilities, demonstrating critical gaps in network security appliance protection and configuration management.

Sources

Hackers breach Fortinet FortiGate devices, steal firewall configshttps://www.bleepingcomputer.com/news/security/hackers-breach-fortinet-fortigate-devices-steal-firewall-configs/
Verified

Fortinet FortiOS CVE-2025- ... : Improper Verification of Cryptographic Signaturehttps://nvd.nist.gov/vuln/detail/CVE-2025-59718

Verified

Fortinet Security Advisory FG-IR-25-647https://fortiguard.fortinet.com/psirt/FG-IR-25-647

Verified

CISA Known Exploited Vulnerabilities Catalog Entry for CVE-2025- ... https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59718

Verified

Fortinet Security Advisory FG-IR-25-648https://fortiguard.fortinet.com/psirt/FG-IR-25-648

Verified

CISA Known Exploited Vulnerabilities Catalog Entry for CVE-2025- ... https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59719

Verified

Frequently Asked Questions

Attackers exploited an incomplete patch for the authentication bypass vulnerability, allowing them to bypass SSO restrictions and create admin accounts even on devices that had been patched.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Applying Zero Trust segmentation, strict identity controls, centralized visibility, and egress enforcement would have contained the breach, limited attacker mobility, and prevented or detected unauthorized configuration exports. CNSF capabilities such as microsegmentation, inline IPS, and egress policy enforcement are vital to minimize risk from authentication bypasses and automated exfiltration.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: Attack surface reduction decreases exposure to vulnerable services.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Limits exposure of privileged interfaces to authorized identities only.

Lateral Movement

Control: East-West Traffic Security

Mitigation: Prevents or restricts attacker movement to other network segments.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: Enhances detection and alerting on anomalous admin session behavior.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: Blocks or logs unauthorized outbound transfers of sensitive data.

Impact (Mitigations)

Blocks follow-on exploit attempts and malicious payloads.

Impact at a Glance

Affected Business Functions

Network Security Management
Firewall Configuration
VPN Access Control

Operational Disruption

Estimated downtime: 3 days

Financial Impact

Estimated loss: $500,000

Data Exposure

Unauthorized access to firewall configurations, including network layouts, firewall rules, and potentially hashed passwords, leading to potential network compromise and data breaches.

Recommended Actions

• Immediately disable vulnerable SSO interfaces and enforce least-privilege identity-based segmentation on all critical admin endpoints.
• Institute multicloud visibility and automated anomaly detection to rapidly identify and respond to rogue account creation or abnormal admin activities.
• Deploy east-west segmentation and microsegmentation to limit lateral movement from compromised network devices.
• Enforce stringent egress filtering and data loss prevention controls to block unauthorized exports of sensitive configurations.
• Integrate inline IPS/Suricata signatures and CNSF distributed enforcement to proactively block exploit attempts and limit attack impact.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Get a Free Workload Attack Path Assessment Under Active Attack?

Fortinet 2026 Breach: Authentication Bypass Leads to Firewall Configuration Theft

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2025-59718

Affected Products:

Exploit Status:

References:

CVE-2025-59719

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Exploit Public-Facing Application

Modify Authentication Process: Single Sign-On

Valid Accounts

Create Account: Local Account

Data Manipulation: Stored Data Manipulation

Data from Local System

Automated Exfiltration

Indicator Removal: File Deletion

Potential Compliance Exposure

PCI DSS 4.0 – Authentication and Access Control for All System Components

NYDFS 23 NYCRR 500 – Cybersecurity Policy & Access Privileges

DORA (Digital Operational Resilience Act) – ICT Security Policies and Procedures

CISA Zero Trust Maturity Model 2.0 – Strong Authentication and Policy Enforcement

NIS2 Directive – Appropriate Policies for Identity and Access Management

PCI DSS 4.0 – Logging and Monitoring

Sector Implications

Financial Services

Health Care / Life Sciences

Government Administration

Computer/Network Security

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads