Key Findings Arctic Wolf observed a new cluster of automated malicious activity targeting Fortinet FortiGate firewalls since January 15, 2026. The attacks involve the creation of generic user accounts for persistence, configuration changes granting VPN access to those accounts, and exfiltration of firewall configurations. This activity shares similarities with a December 2025 campaign that exploited critical Fortinet authentication bypass vulnerabilities (CVE-2025-59718 and C
