Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations

Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations

Briefly

"The activity, it said, commenced on January 15, 2026, adding it shares similarities with a December 2025 campaign in which malicious SSO logins on FortiGate appliances were recorded against the admin account from different hosting providers by exploiting CVE-2025-59718 and CVE-2025-59719. Both vulnerabilities allow for unauthenticated bypass of SSO login authentication via crafted SAML messages when the FortiCloud single sign-on (SSO) feature is enabled on affected Devices."

""This activity involved the creation of generic accounts intended for persistence, configuration changes granting VPN access to those accounts, as well as exfiltration of firewall configurations," Arctic Wolf said of the developing threat cluster. Specifically, this entails carrying out malicious SSO logins against a malicious account "cloud-init@mail.io" from four different IP addresses, following which the firewall configuration files are exported to the same IP addresses via the GUI interface."

"In addition, the threat actors have been observed creating secondary accounts, such as "secadmin," "itadmin," "support," "backup," "remoteadmin," and "audit," for persistence. "All of the above events took place within seconds of each other, indicating the possibility of automated activity," Arctic Wolf added."