Cybersecurity researchers at Arctic Wolf have identified a new wave of automated attacks targeting Fortinet FortiGate devices, exploiting weaknesses in FortiCloud Single Sign-On (SSO) to manipulate firewall configurations.
The activity, first observed on January 15, 2026, bears resemblance to a December 2025 campaign where attackers leveraged CVE-2025-59718 and CVE-2025-59719 to bypass SSO login authentication. Both vulnerabilities allow unauthenticated access through crafted SAML messages when FortiCloud SSO is enabled. Affected systems include FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.
How the Attack Works
According to Arctic Wolf, attackers automate a series of steps, including:
- Logging in via malicious SSO accounts, such as
cloud-init@mail.io.
- Creating secondary accounts like
secadmin, itadmin, support, backup, remoteadmin, and audit to maintain persistence.
- Exporting firewall configurations to external IP addresses via the GUI interface.
Known source IP addresses involved in the activity include:
104.28.244[.]115104.28.212[.]114217.119.139[.]5037.1.209[.]19
Arctic Wolf noted that these events occur within seconds, suggesting the operations are automated rather than manual.
Implications and Mitigation
The attacks could allow threat actors to alter VPN access, exfiltrate configuration files, and maintain long-term control over network devices. Users on fully-patched FortiOS devices have reported ongoing malicious SSO login attempts, raising concerns that certain vulnerabilities persist even in the latest versions, including FortiOS 7.4.10.
Fortinet users are advised to disable FortiCloud SSO for administrative logins using the admin-forticloud-sso-login setting as a precaution until official patches or guidance are provided.
Expert Advice
Network security specialists recommend monitoring for unusual login activity, auditing firewall configurations regularly, and applying strict access control policies to limit exposure from internet-facing devices.
This alert underscores the growing risk of automated attacks on critical network infrastructure, even when devices are fully patched.
