FortiGate Firewalls Under Attack: Automated Campaign Exploits Devices to Steal Configuration Data

Recent intelligence points to a renewed and concerning surge in automated malicious activity directly targeting FortiGate firewall devices. Starting January 15, 2026, threat actors have initiated a coordinated campaign, executing unauthorized configuration changes, establishing persistent access through compromised generic accounts, and critically, exfiltrating sensitive firewall configuration data. This ongoing threat underscores the persistent challenges in securing critical network infrastructure and echoes a similar incident in December 2025 involving malicious Single Sign-On (SSO) logins, which occurred shortly after Fortinet disclosed the critical vulnerabilities CVE-2025-59718 and CVE-2025-59719.

Understanding the Automated Attack Vector

The current FortiGate attack campaign demonstrates a sophisticated level of automation, allowing adversaries to rapidly compromise and exploit a range of devices. The primary objective appears to be the theft of configuration data, which can provide threat actors with invaluable insights into an organization’s network topology, security policies, VPN credentials, and other critical information. Such data can then be leveraged for deeper network penetration, targeted attacks, or sold on dark web marketplaces.

The observed tactics include:

• Unauthorized Configuration Changes: Attackers are directly manipulating firewall settings, potentially creating backdoors, disabling security features, or redirecting traffic.
• Persistence Through Generic Accounts: By compromising or creating generic user accounts, adversaries ensure continued access to the firewall, even if initial entry points are closed. This highlights the importance of strong credential management and multi-factor authentication (MFA) for all administrative interfaces.
• Exfiltration of Configuration Data: This is the most critical aspect of the current campaign. Stolen configuration files reveal the intricate details of an organization’s network, effectively handing over the keys to the kingdom.

Connecting to Previous Vulnerabilities: CVE-2025-59718 and CVE-2025-59719

The current wave of attacks raises concerns about potential links to previously disclosed critical vulnerabilities. The December 2025 incident, characterized by malicious SSO logins, occurred in close proximity to Fortinet’s announcements regarding CVE-2025-59718 and CVE-2025-59719. While the exact exploit chain for the current automated attacks is still under investigation, it is plausible that these or similar vulnerabilities are being leveraged by threat actors to gain initial access or escalate privileges on vulnerable FortiGate devices.

• CVE-2025-59718: (Specific details of the vulnerability would be added here if available, e.g., “This vulnerability likely pertains to an authentication bypass flaw in the FortiGate SSL VPN component.”)
• CVE-2025-59719: (Specific details of the vulnerability would be added here if available, e.g., “This vulnerability could be a remote code execution (RCE) flaw, allowing unauthenticated attackers to execute arbitrary commands.”)

Organizations must remain vigilant and review their patching cycles, especially for security patches related to these critical flaws.

Remediation Actions and Proactive Defense

Responding to this threat requires immediate and comprehensive action. Organizations managing FortiGate firewalls should prioritize the following:

• Patch Immediately: Ensure all FortiGate devices are running the latest firmware versions with all available security patches. Prioritize updates addressing CVE-2025-59718 and .
• Review Logs for Anomalies: Scrutinize FortiGate firewall logs for any unauthorized configuration changes, unusual login attempts, unexpected account creations, or data exfiltration events, particularly from January 15, 2026, onwards.
• Strengthen Authentication: Implement Multi-Factor Authentication (MFA) for all administrative access to FortiGate devices, VPNs, and SSO logins. Review and disable any default or generic accounts.
• Audit User Accounts: Regularly audit all administrative and user accounts on FortiGate devices. Remove dormant accounts and strengthen passwords for active ones.
• Restrict Administrative Access: Limit administrative access to FortiGate devices from trusted IP addresses only. Implement strict network segmentation to isolate management interfaces.
• Monitor Outbound Traffic: Implement robust network monitoring to detect and alert on suspicious outbound connections from FortiGate devices, especially those that could indicate data exfiltration.
• Backup Configurations Securely: Maintain regular, encrypted backups of FortiGate configurations in an off-network location to facilitate rapid recovery in case of compromise.
• Review Security Policies: Evaluate existing firewall policies for overly permissive rules that could be leveraged by attackers. Implement a “least privilege” approach.

Relevant Tools for Detection and Mitigation

Tool Name	Purpose	Link
FortiAnalyzer	Log management, security analytics, and reporting for FortiGate.	FortiAnalyzer Product Page
FortiManager	Centralized management of FortiGate devices, including firmware updates and policy enforcement.	FortiManager Product Page
Intrusion Prevention Systems (IPS)	Detects and prevents known exploits and malicious traffic patterns. Enable and update IPS signatures on your FortiGate.	(Integrated within FortiGate firewalls)
Security Information and Event Management (SIEM)	Aggregates and intelligently analyzes logs from multiple sources, including FortiGate, for threat detection.	Splunk / Elastic Stack (ELK)

Conclusion

The ongoing automated attacks targeting FortiGate firewalls for configuration data theft represent a significant and evolving threat. The echoes of previous incidents and the timing relative to critical vulnerability disclosures highlight the persistent efforts of threat actors to capitalize on any weakness. By prioritizing immediate patching, vigilant log analysis, robust authentication measures, and proactive security practices, organizations can significantly bolster their defenses against these sophisticated campaigns and protect their critical network infrastructure from compromise. Staying informed about the latest threat intelligence and adhering to vendor security advisories are paramount for maintaining a strong security posture.