Cybersecurity firm Arctic Wolf has issued a warning about a newly identified wave of automated malicious activity targeting Fortinet FortiGate devices. The campaign involves unauthorized changes to firewall configurations by abusing the FortiCloud single sign on feature, raising concerns for organizations relying on FortiGate appliances for perimeter security.
Automated Activity Observed Since Mid January
According to Arctic Wolf, the malicious activity began on January 15, 2026. The company noted strong similarities with a campaign observed in December 2025, where attackers carried out unauthorized SSO logins on FortiGate devices by targeting the admin account from multiple hosting providers.
Those earlier attacks exploited two vulnerabilities, CVE-2025-59718 and CVE-2025-59719. Both flaws allow unauthenticated attackers to bypass SSO authentication by sending specially crafted SAML messages when FortiCloud SSO is enabled.
image import FortiCloud SSO authentication flow
Vulnerabilities Affect Multiple Fortinet Products
The SSO bypass weaknesses impact several Fortinet platforms, including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. When exploited, these vulnerabilities allow attackers to gain unauthorized access without valid credentials, creating a serious risk for exposed devices.
Arctic Wolf reported that the new threat cluster goes beyond simple access. The attackers are actively modifying firewall configurations, establishing persistence, and exporting sensitive configuration data.
Persistence Accounts and Configuration Exfiltration
The observed activity includes the creation of generic user accounts designed to maintain long term access. These accounts are then granted VPN permissions, enabling continued remote connectivity. In addition, firewall configuration files are exported from compromised devices.
Arctic Wolf highlighted that malicious SSO logins were performed using an account named cloud-init@mail.io from four separate IP addresses. After successful access, firewall configuration files were exported through the graphical user interface to the same sources.
The source IP addresses involved in the activity are:
104.28.244[.]115
104.28.212[.]114
217.119.139[.]50
37.1.209[.]19
image import Firewall configuration exfiltration diagram
Secondary Accounts Created for Long Term Access
Threat actors were also observed creating additional administrative style accounts to ensure persistence. Examples include secadmin, itadmin, support, backup, remoteadmin, and audit.
Arctic Wolf emphasized that all related actions occurred within seconds of one another, strongly suggesting the use of automation rather than manual intrusion attempts.
Community Reports Raise Patch Effectiveness Questions
The disclosure aligns with recent discussions on Reddit, where several users reported seeing malicious SSO logins on fully patched FortiOS devices. One user claimed that the Fortinet developer team acknowledged that the issue may still exist or may not be fully resolved in FortiOS version 7.4.10.
(At the time of reporting, Fortinet has not issued an official public response. Requests for comment are ongoing.)
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
