A massive FORTINET FIREWALL BREACH caused a wave of automated attacks is currently hitting companies that rely on Fortinet firewalls to protect their networks. The security firm Arctic Wolf recently issued a high-level warning about a new burst of criminal activity that started on January 15, 2026. This isn’t just a small glitch; hackers are actually getting inside these devices, changing the rules of the firewall, and setting up secret doorways so they can come and go as they please. It appears these attackers are exploiting specific flaws that allow them to skip the login screen entirely, even if they don’t have a password.

How the Hackers Are Slipping Through

The problem centers on a feature called Single Sign-On, or SSO. This is supposed to make life easier by letting admins log in once to access multiple tools. However, two major security holes—known in the tech world as CVE-2025-59718 and CVE-2025-59719—have turned this convenience into a nightmare. By sending a specially crafted message to the device, a hacker can trick the firewall into thinking they are a legitimate administrator. This trick works even if the hacker has no prior access to the system, making it an “unauthenticated” bypass.

Once they trick the system into letting them in, the attackers move with lightning speed. Within just a few seconds, they create new, fake user accounts with names that look totally normal, like “support,” “backup,” or “itadmin.” Because these names sound like something a real tech department would use, they often go unnoticed for a long time. These secondary accounts act as a backup plan for the hackers; even if their initial entry point is closed, they can still get back into the network whenever they want using these “ghost” accounts.

Stealing the Keys to the Kingdom

While setting up these fake accounts, the intruders are also busy stealing the most sensitive data a firewall holds: its configuration files. These files are essentially the blueprints of a company’s entire digital defense. By exporting these files to their own servers, the hackers can see exactly how a network is set up, which parts are weak, and where they should attack next. Reports show that the stolen data is being sent to a specific set of IP addresses located in different parts of the world, suggesting a coordinated and automated operation.

What makes this situation even more alarming is that the attacks seem to be happening all at once. Security researchers noted that the login, the account creation, and the data theft all happen within the same tiny window of time. This isn’t a human typing on a keyboard; it’s a computer program—a bot—doing the work for them. This automation allows the criminals to hit thousands of businesses simultaneously, looking for anyone who hasn’t secured their devices yet.

A Patch That Might Not Be Enough

There is a lot of confusion and worry in the tech community right now, especially on platforms like Reddit. Several users have reported that their Fortinet devices were hacked even though they were running the latest software updates. Some claim that the “fix” provided by the manufacturer isn’t actually stopping the hackers in certain versions of the software. While the official developer team investigates these claims, the situation remains tense for IT managers who thought their systems were safe.

To keep your business safe in the meantime, the best advice is to turn off the specific setting that allows FortiCloud SSO logins for administrators. Disabling this “admin-forticloud-sso-login” feature shuts the door that the hackers are currently using to get inside. It might make logging in slightly less convenient for your tech team, but it is a small price to pay to avoid a total network takeover. Keeping a close eye on your list of administrator accounts is also vital—if you see a new user named “audit” or “secadmin” that you didn’t create, you need to act immediately.