Ddos 
Fortinet is investigating a concerning new wave of attacks targeting its network security devices, where threat actors are successfully compromising systems that have already been fully patched against known vulnerabilities. The company has confirmed that while the attacks bear similarities to critical flaws disclosed in December 2025, the new incidents involve a “new attack path” that bypasses current defenses.
The initial vulnerabilities, CVE-2025-59718 and CVE-2025-59719, allowed attackers to bypass authentication on FortiGate devices by exploiting the FortiCloud Single Sign-On (SSO) feature. While patches were released, Fortinet now reports that “in the last 24 hours, we have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack”.
The attack leaves distinct fingerprints. Attackers are logging in using generic, cloud-themed accounts such as cloud-noc@mail.io and cloud-init@mail.io . Once authenticated, they move quickly to establish persistence by creating local administrative accounts.
“Creation of a local admin, presumably for persistence should the SSO account become disabled, has been seen in almost all cases,” the report notes. These backdoor accounts often use generic names like audit, backup, itadmin, secadmin, or support to blend in with legitimate system users.
The attackers are also taking steps to mask their location. Fortinet observed that the threat actors “appears to have switched to use Cloudflare protected IPs,” making it harder to track their origin or block them based on simple IP reputation lists.
Observed IP addresses include 104[.]28.244.115 and 104[.]28.212.114, among others.
While Fortinet works on a new patch, they are urging customers to take defensive action immediately. The primary recommendation is to disable the vulnerable SSO feature if it is not strictly necessary.
“As an additional workaround we recommend disabling the FortiCloud SSO feature,” the advisory states. “This will prevent abuse via that method but not a third-party SSO system”.
Administrators can disable this feature via the CLI with the command: set admin-forticloud-sso-login disable.
Additionally, Fortinet advises restricting administrative access to trusted internal IP addresses only, using a “local-in policy” to block external access to the management interface.
Donate