Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations

Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations

Posted on By CWS

Ravie LakshmananJan 22, 2026Network Safety / Vulnerability
Cybersecurity firm Arctic Wolf has warned of a “new cluster of automated malicious exercise” that entails unauthorized firewall configuration modifications on Fortinet FortiGate gadgets.
The exercise, it stated, commenced on January 15, 2026, including it shares similarities with a December 2025 marketing campaign by which malicious SSO logins on FortiGate home equipment had been recorded in opposition to the admin account from completely different internet hosting suppliers by exploiting CVE-2025-59718 and CVE-2025-59719.
Each vulnerabilities enable for unauthenticated bypass of SSO login authentication by way of crafted SAML messages when the FortiCloud single sign-on (SSO) characteristic is enabled on affected Units. The shortcomings affect FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.

“This exercise concerned the creation of generic accounts meant for persistence, configuration modifications granting VPN entry to these accounts, in addition to exfiltration of firewall configurations,” Arctic Wolf stated of the growing menace cluster.
Particularly, this entails finishing up malicious SSO logins in opposition to a malicious account “[email protected]” from 4 completely different IP addresses, following which the firewall configuration information are exported to the identical IP addresses by way of the GUI interface. The checklist of supply IP addresses is under –

104.28.244[.]115
104.28.212[.]114
217.119.139[.]50
37.1.209[.]19

As well as, the menace actors have been noticed creating secondary accounts, resembling “secadmin,” “itadmin,” “assist,” “backup,” “remoteadmin,” and “audit,” for persistence.
“All the above occasions passed off inside seconds of one another, indicating the opportunity of automated exercise,” Arctic Wolf added.

The disclosure coincides with a publish on Reddit by which a number of customers reported seeing malicious SSO logins on fully-patched FortiOS gadgets, with one person stating the “Fortinet developer staff has confirmed the vulnerability persists or shouldn’t be mounted in model 7.4.10.”
The Hacker Information has reached out to Fortinet for remark, and we’ll replace the story if we hear again. Within the interim, it is suggested to disable the “admin-forticloud-sso-login” setting.

The Hacker News Tags:, , , , , , , ,

Related Posts

Docker Fixes CVE-2025-9074, Critical Container Escape Vulnerability With CVSS Score 9.3 Docker Fixes CVE-2025-9074, Critical Container Escape Vulnerability With CVSS Score 9.3 The Hacker News
Hackers Using PDFs to Impersonate Microsoft, DocuSign, and More in Callback Phishing Campaigns Hackers Using PDFs to Impersonate Microsoft, DocuSign, and More in Callback Phishing Campaigns The Hacker News
Samsung Fixes Critical Zero-Day CVE-2025-21043 Exploited in Android Attacks Samsung Fixes Critical Zero-Day CVE-2025-21043 Exploited in Android Attacks The Hacker News
North Korea-Linked Hackers Target Developers via Malicious VS Code Projects North Korea-Linked Hackers Target Developers via Malicious VS Code Projects The Hacker News
India Orders Messaging Apps to Work Only With Active SIM Cards to Prevent Fraud and Misuse India Orders Messaging Apps to Work Only With Active SIM Cards to Prevent Fraud and Misuse The Hacker News
Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch The Hacker News