FortiGate Patch Bypass Alert: Why "Fully Patched" Firewalls Are Still Getting Hacked

If you patched your Fortinet FortiGate firewalls last month and assumed you were protected, you need to read this immediately. As of January 21, 2026, multiple organizations are reporting that attackers are successfully compromising FortiGate devices that had already been upgraded to address CVE-2025-59718—the critical authentication bypass vulnerability disclosed in December 2025.

This isn't a theoretical risk. Security researchers at Arctic Wolf confirmed observing "multiple compromises of fully patched Fortinet firewalls in the last 24 hours," exhibiting behavior consistent with the December CVE. Enterprise administrators are posting on Reddit about malicious SSO logins and unauthorized admin accounts appearing on firewalls running the supposedly fixed FortiOS 7.4.9, which could lead to complete network control if exploited.

What's Happening: The Patch That Didn't Hold

CVE-2025-59718 is a critical authentication bypass flaw (CVSS 9.8) that continues to be exploited, highlighting the need for proactive security measures. Fortinet released patches in early December 2025, and many organizations promptly upgraded.

The problem: those patches appear incomplete.

According to reports emerging this week, one affected administrator confirmed that Fortinet's developer team acknowledged the vulnerability persists in FortiOS version 7.4.10. Fortinet is reportedly preparing emergency releases (versions 7.4.11, 7.6.6, and 8.0.0) to fully address the security flaw.

"We just had a malicious SSO login on one of our FortiGates running on 7.4.9," wrote one affected administrator. "We have a SIEM that caught the local admin account being created. Now, I have done a little research, and it appears this is exactly how it looked when someone came in on CVE-2025-59718."

The Attack Pattern: What Security Teams Are Seeing

Arctic Wolf's analysis reveals a consistent, automated attack chain that began on January 15, 2026. Here's what threat actors do once they gain access.

First, attackers are logging in via malicious SSO authentication, typically targeting the cloud-init@mail.io account. The malicious SSO logins originate from several hosting providers, including The Constant Company LLC, BL Networks, and Kaopu Cloud HK Limited.

Second, they export complete device configurations via the FortiGate GUI. This includes all firewall rules, VPN configurations, and critically, hashed credentials for admin and user accounts.

Third, attackers create persistence accounts with generic names designed to blend in, such as "secadmin," "itadmin," "support," "backup," "remoteadmin," or "audit."

All these steps are executed in quick succession, indicating automated tooling.

The Double Vulnerability Problem

This situation is compounded by the fact that organizations are still dealing with CVE-2020-12812, a five-year-old 2FA bypass vulnerability that Fortinet warned about in late December 2025. According to the Shadowserver Foundation, over 10,000 Fortinet firewalls remain exposed to this flaw as of January 2026, with more than 1,300 in the United States alone.

The older vulnerability exploits a case-sensitivity mismatch between FortiGate and LDAP directories. When a user logs in with "JSmith" instead of "jsmith," FortiGate fails to match the local 2FA-configured user and authenticates directly against LDAP, bypassing the second factor entirely.

Advanced persistent threat groups, including APT5, Iranian-backed actors, and ransomware families like Conti, REvil, and Hive, have all exploited CVE-2020-12812 in the wild. CISA added it to the Known Exploited Vulnerabilities catalog in 2021, specifically flagging it for use in ransomware attacks.

Immediate Actions for Security Teams

If you're running FortiGate firewalls, here's what you need to do right now.

Step 1: Disable FortiCloud SSO Login Immediately

Until Fortinet provides a fully patched FortiOS release, temporarily disable the vulnerable FortiCloud login feature. Navigate to System, then Settings, and switch "Allow administrative login using FortiCloud SSO" to Off. Alternatively, run these commands from the CLI:

config system global

set admin-forticloud-sso-login disable

end

Step 2: Check for Indicators of Compromise

Review your logs for unauthorized account creation with names such as 'secadmin,' 'itadmin,' 'support,' 'backup,' 'remoteadmin,' or 'audit.' Look for configuration exports via the GUI, particularly those associated with known hosting providers. Check for SSO logins from unfamiliar IP addresses or targeting the cloud-init@mail.io account. Regular monitoring helps you stay ahead of threats.

Step 3: Assume Credential Compromise

If attackers exported your firewall configuration, assume that all hashed credentials stored in it have been compromised. Reset all administrative passwords immediately. Reset VPN user credentials. Rotate any API keys or service account credentials stored in the configuration. Acting now can prevent further damage.

Step 4: Restrict Management Interface Access

This is a best practice that should already be in place. Restrict access to firewall management interfaces to trusted internal networks only. Use jump boxes or VPN-only access for administrative functions. Implement additional authentication controls beyond what the firewall provides.

The Broader Lesson: Network Edge Risk Management

This incident underscores a fundamental challenge in enterprise security: network edge devices, such as firewalls, are both critical infrastructure and challenging to monitor. Traditional endpoint detection and response tools can't penetrate these appliances deeply enough to detect compromise.

According to Eclypsium's research, while network appliances are marketed as purpose-built security devices, they typically run commodity processors with general-purpose operating systems underneath. This creates an attack surface that security teams often can't see.

Organizations should implement network behavior analytics that can detect anomalous administrative activity on edge devices. Deploy out-of-band logging to a SIEM that attackers can't disable by compromising the firewall itself. Consider solutions that can verify firmware integrity and detect unauthorized modifications.

What to Watch For

Fortinet has not yet publicly confirmed the patch bypass reports, though multiple administrators claim to have received confirmation through support channels. Watch for official security advisories and emergency patch releases.

In the meantime, treat any FortiGate firewall with FortiCloud SSO enabled as potentially vulnerable, regardless of patch level. The security of your entire network perimeter may depend on it.

Ready to Assess Your Perimeter Security Posture?

The FortiGate situation highlights a critical reality: patching alone isn't enough when patches don't fully address vulnerabilities. Our security assessment services can help you identify exposed management interfaces, verify security controls are functioning as expected, and build incident response playbooks for edge device compromise scenarios.

Contact us today to schedule a network perimeter security review before attackers find gaps in your defenses.

Sources:

1. BleepingComputer - "Fortinet admins report patched FortiGate firewalls getting hacked" (January 21, 2026) https://www.bleepingcomputer.com/news/security/fortinet-admins-report-patched-fortigate-firewalls-getting-hacked/
2. Help Net Security - "Fully patched FortiGate firewalls are getting compromised via CVE-2025-59718?" (January 21, 2026, Updated January 22, 2026) https://www.helpnetsecurity.com/2026/01/21/patched-fortigate-compromised-via-cve-2025-59718/
3. Arctic Wolf - "CVE-2025-25249: Remote Code Execution Vulnerability in FortiOS and FortiSwitchManager" (January 15, 2026) https://arcticwolf.com/resources/blog/cve-2025-25249/
4. Cybersecurity Dive - "Thousands of firewalls at risk as legacy flaw in Fortinet faces renewed threat" (January 5, 2026) https://www.cybersecuritydive.com/news/thousands-of-firewalls-at-risk-as-legacy-flaw-in-fortinet-under-renewed-thr/808739/
5. Eclypsium - "Fortinet Under Fire: Network Edge Attacks Start Strong in 2026" (January 2026) https://eclypsium.com/blog/fortinet-authentication-bypass-network-edge-attacks-cve-2020-12812/
6. Fortinet FortiGuard PSIRT Advisories https://www.fortiguard.com/psirt