Overview
- Arctic Wolf reports a campaign beginning January 15 that rapidly creates admin accounts, enables VPN access, and exfiltrates firewall configurations within seconds.
- Fortinet CISO Carl Windsor says recent cases affected devices running the latest releases at the time, indicating a new route to bypass authentication.
- Fortinet warns the weakness applies to all SAML SSO implementations and urges customers to restrict management access and disable FortiCloud SSO.
- Shadowserver now tracks about 11,000 internet-exposed Fortinet devices with FortiCloud SSO enabled, highlighting ongoing exposure.
- Indicators of compromise include SSO logins using cloud-init@mail.io or cloud-noc@mail.io and source IPs such as 104.28.244.114, with CISA listing CVE-2025-59718 as actively exploited.