The scenario described by the response teams and the companies that have investigated the campaign is direct and fast. According to public reports from industry firms, in mid-January, anomalous accesses, including the creation of administrative accounts with VPN access and the exfiltration of configurations of the equipment in question in a matter of seconds, began to be detected. The speed and uniformity of these intrusions make you think of an automated process that takes advantage of some new attack route or a way to draw the previous correction.
Fortinet publicly confirmed that the activity observed in recent weeks is similar to the holdings documented in December and that the company is working to identify and remedy completely the vector responsible for the new intrusions. In his technical note on the abuse of SSO in FortiOS ( see communication from Fortinet) the company recognizes that, although the known holding has so far affected FortiCloud SSO, the underlying problem is related to SAML SSO implementation in general.
The signs that have shared clients and analysts help to rebuild part of the attack: in several access records it is noted that the administrative accounts were created after a SSO login from the cloud-init @ mail.io mail address and from the IP 104.28.244.114, coincidences that were also identified by the security firm that published observations on the campaign. Fortinet, for its part, has listed commitment indicators that can be used for the search for evidence on potentially affected devices ( see IOCs shared by Fortinet).
To size the exposure, the Shadowserver surveillance group maintains a team tracking with FortiCloud SSO exposed on the Internet and its board shows about 11,000 publicly accessible devices with that activated service ( see Shadowserver panel). This figure explains why the addition of the CVE-2025-59718 to the list of actively exploited vulnerabilities of the U.S. agency CISA generated urgent measures: on December 16, CISA incorporated this failure into its catalog and ordered federal agencies to apply patches in time-bound ( CISA statement, entry into the catalogue).
In this context, the practical recommendations are clear and urgent. Fortinet has suggested limiting administrative access from the Internet by applying a local-in policy that restricts IP addresses authorized to manage devices; official documentation explains how to implement this policy in FortiGate ( more information about local-in policy). In addition, while delivering a final correction, the company advises to disable the option to log in administratively using FortiCloud SSO in system settings and to verify any engagement trace in the records.
If, when reviewing the machines, the commitment indicators associated with this campaign are found, the operational recommendation is to treat the equipment and its configuration as committed: change all relevant credentials, including LDAP / AD accounts that may have been exposed, and restore the configuration from a backup known as clean. Fortinet has published technical steps and resources in his community to guide the response ( see suggestions in the Fortinet community).
Beyond this particular incident, there are two lessons that should be internalized. The first is that centralized authentication solutions such as SAML / SSO, which offer comfort and control, also concentrate risk: a vulnerability in that chain of trust can give wide and rapid access to an attacker. The second is that having applied a patch does not guarantee that the exposure has disappeared; there are always cases where alternative operating routes arise or the correction does not cover unforeseen scenarios. Therefore, in critical environments, in-depth defense measures - access segmentation, IP whitelisting for administration, continuous log monitoring and restoration from clean backup - remain essential.
If you manage Fortinet in a business network, it is appropriate to act immediately: review the configuration of FortiCloud SSO, audit recent access, apply Internet management blocks and prepare response plans that include the rotation of credentials and safe restoration. Many of these instructions are detailed in the official sources listed in this article; review and follow them significantly reduces the likelihood of similar intrusion.
The situation is still developing and both security providers and manufacturers will continue to publish technical updates. To keep you up to date and compare information, check the publications of manufacturers and alerts of organisms such as CISA, as well as reports of response companies that monitor malicious activity in the field. In an environment where attacks are quickly automated and spread, active prevention and early detection are the best defense.
Safety alert Drug critical vulnerability of SQL injection in PostgreSQL requires immediate update
Drucal has published safety updates for a vulnerability qualified as "highly critical" which affects Drumal Core and allows an attacker to achieve arbitrary SQL injection in sit...
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...