Key Findings

• Arctic Wolf observed a new cluster of automated malicious activity targeting Fortinet FortiGate firewalls since January 15, 2026.

• The attacks involve the creation of generic user accounts for persistence, configuration changes granting VPN access to those accounts, and exfiltration of firewall configurations.

• This activity shares similarities with a December 2025 campaign that exploited critical Fortinet authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) to gain unauthorized access to FortiGate devices.

Background

In December 2025, Fortinet disclosed two critical SSO authentication bypass vulnerabilities, CVE-2025-59718 and CVE-2025-59719, which allowed threat actors to bypass authentication on FortiGate devices with the FortiCloud single sign-on (SSO) feature enabled.

Attackers quickly began exploiting these vulnerabilities, with Arctic Wolf observing malicious SSO logins on FortiGate devices, primarily targeting admin accounts from various hosting providers.

Ongoing Attacks

• The recent intrusions show malicious SSO logins from a small set of hosting providers, often targeting the [email protected] account.

• After successful SSO access, attackers quickly exported firewall configurations via the GUI and created secondary admin accounts for persistence.

• These actions occurred within seconds, suggesting highly automated activity.

Indicators of Compromise (IoCs)

The following IP addresses have been observed in the attacks:

• 104.28.244[.]115

• 104.28.212[.]114

• 217.119.139[.]50

• 37.1.209[.]19

The attackers have created secondary accounts such as "secadmin," "itadmin," "support," "backup," "remoteadmin," and "audit" for persistence.

Recommendations

• Disable the "admin-forticloud-sso-login" setting on Fortinet FortiGate devices.

• Monitor for any suspicious login activity and unauthorized configuration changes.

• Apply the latest Fortinet security patches to address the CVE-2025-59718 and CVE-2025-59719 vulnerabilities.

Conclusion

Arctic Wolf's researchers have identified a new wave of automated attacks targeting Fortinet FortiGate firewalls, with similarities to a previous campaign that exploited critical authentication bypass vulnerabilities. The attacks involve the creation of persistent user accounts, VPN access modifications, and firewall configuration theft, all executed in a highly automated manner. Organizations using Fortinet FortiGate devices are advised to take immediate action to secure their systems and monitor for any suspicious activity.

Sources

• https://securityaffairs.com/187194/hacking/arctic-wolf-detects-surge-in-automated-fortinet-fortigate-firewall-configuration-attacks.html

• https://thehackernews.com/2026/01/automated-fortigate-attacks-exploit.html

• https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-configuration-changes-fortinet-fortigate-devices-via-sso-accounts/

• https://www.facebook.com/thehackernews/posts/-fortinet-fortigate-under-automated-sso-abuseattackers-exploit-cve-2025-59718597/1274047734759807/