top of page
Search

Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations

  • Jan 22
  • 2 min read

Key Findings


  • Arctic Wolf observed a new cluster of automated malicious activity targeting Fortinet FortiGate firewalls since January 15, 2026.

  • The attacks involve the creation of generic user accounts for persistence, configuration changes granting VPN access to those accounts, and exfiltration of firewall configurations.

  • This activity shares similarities with a December 2025 campaign that exploited critical Fortinet authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) to gain unauthorized access to FortiGate devices.


Background


In December 2025, Fortinet disclosed two critical SSO authentication bypass vulnerabilities, CVE-2025-59718 and CVE-2025-59719, which allowed threat actors to bypass authentication on FortiGate devices with the FortiCloud single sign-on (SSO) feature enabled.


Attackers quickly began exploiting these vulnerabilities, with Arctic Wolf observing malicious SSO logins on FortiGate devices, primarily targeting admin accounts from various hosting providers.


Ongoing Attacks


  • The recent intrusions show malicious SSO logins from a small set of hosting providers, often targeting the [email protected] account.

  • After successful SSO access, attackers quickly exported firewall configurations via the GUI and created secondary admin accounts for persistence.

  • These actions occurred within seconds, suggesting highly automated activity.


Indicators of Compromise (IoCs)


The following IP addresses have been observed in the attacks:


  • 104.28.244[.]115

  • 104.28.212[.]114

  • 217.119.139[.]50

  • 37.1.209[.]19


The attackers have created secondary accounts such as "secadmin," "itadmin," "support," "backup," "remoteadmin," and "audit" for persistence.


Recommendations


  • Disable the "admin-forticloud-sso-login" setting on Fortinet FortiGate devices.

  • Monitor for any suspicious login activity and unauthorized configuration changes.

  • Apply the latest Fortinet security patches to address the CVE-2025-59718 and CVE-2025-59719 vulnerabilities.


Conclusion


Arctic Wolf's researchers have identified a new wave of automated attacks targeting Fortinet FortiGate firewalls, with similarities to a previous campaign that exploited critical authentication bypass vulnerabilities. The attacks involve the creation of persistent user accounts, VPN access modifications, and firewall configuration theft, all executed in a highly automated manner. Organizations using Fortinet FortiGate devices are advised to take immediate action to secure their systems and monitor for any suspicious activity.


Sources


  • https://securityaffairs.com/187194/hacking/arctic-wolf-detects-surge-in-automated-fortinet-fortigate-firewall-configuration-attacks.html

  • https://thehackernews.com/2026/01/automated-fortigate-attacks-exploit.html

  • https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-configuration-changes-fortinet-fortigate-devices-via-sso-accounts/

  • https://www.facebook.com/thehackernews/posts/-fortinet-fortigate-under-automated-sso-abuseattackers-exploit-cve-2025-59718597/1274047734759807/

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page