Automated FortiGate Assaults Exploit FortiCloud SSO to Alter Firewall Configurations

Ravie LakshmananJan 22, 2026Community Safety / Vulnerability

Cybersecurity firm Arctic Wolf has warned of a “new cluster of automated malicious exercise” that includes unauthorized firewall configuration adjustments on Fortinet FortiGate units.

The exercise, it stated, commenced on January 15, 2026, including it shares similarities with a December 2025 marketing campaign during which malicious SSO logins on FortiGate home equipment had been recorded in opposition to the admin account from totally different internet hosting suppliers by exploiting CVE-2025-59718 and CVE-2025-59719.

Each vulnerabilities permit for unauthenticated bypass of SSO login authentication by way of crafted SAML messages when the FortiCloud single sign-on (SSO) function is enabled on affected Units. The shortcomings impression FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.

“This exercise concerned the creation of generic accounts meant for persistence, configuration adjustments granting VPN entry to these accounts, in addition to exfiltration of firewall configurations,” Arctic Wolf stated of the creating risk cluster.

Particularly, this entails finishing up malicious SSO logins in opposition to a malicious account “cloud-init@mail.io” from 4 totally different IP addresses, following which the firewall configuration recordsdata are exported to the identical IP addresses by way of the GUI interface. The checklist of supply IP addresses is beneath –

• 104.28.244[.]115
• 104.28.212[.]114
• 217.119.139[.]50
• 37.1.209[.]19

As well as, the risk actors have been noticed creating secondary accounts, resembling “secadmin,” “itadmin,” “help,” “backup,” “remoteadmin,” and “audit,” for persistence.

“The entire above occasions came about inside seconds of one another, indicating the potential of automated exercise,” Arctic Wolf added.

The disclosure coincides with a publish on Reddit during which a number of customers reported seeing malicious SSO logins on fully-patched FortiOS units, with one consumer stating the “Fortinet developer group has confirmed the vulnerability persists or isn’t mounted in model 7.4.10.”

The Hacker Information has reached out to Fortinet for remark, and we’ll replace the story if we hear again. Within the interim, it is suggested to disable the “admin-forticloud-sso-login” setting.