Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations - The Hacker News

Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations Ravie LakshmananJan 22, 2026Network Security / Vulnerability Cybersecurity company Arctic Wolf has warned of a "new cluster of automated malicious activity" that involves unauthorized firewall configuration changes on Fortinet FortiGate devices. The activity, it said, commenced on January 15, 2026, adding it shares similarities with a December 2025 campaign in which malicious SSO logins on FortiGate appliances were recorded against the admin account from different hosting providers by exploiting CVE-2025-59718 and CVE-2025-59719. Both vulnerabilities allow for unauthenticated bypass of SSO login authentication via crafted SAML messages when the FortiCloud single sign-on (SSO) feature is enabled on affected Devices. The shortcomings impact FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. "This activity involved the creation of generic accounts intended for persistence, configuration changes granting VPN access to those accounts, as well as exfiltration of firewall configurations," Arctic Wolf said of the developing threat cluster. Specifically, this entails carrying out malicious SSO logins against a malicious account "cloud-init@mail.io" from four different IP addresses, following which the firewall configuration files are exported to the same IP addresses via the GUI interface. The list of source IP addresses is below - 104.28.244[.]115 104.28.212[.]114 217.119.139[.]50 37.1.209[.]19 In addition, the threat actors have been observed creating secondary accounts, such as "secadmin," "itadmin," "support," "backup," "remoteadmin," and "audit," for persistence. "All of the above events took place within seconds of each other, indicating the possibility of automated activity," Arctic Wolf added. The disclosure coincides with a post on Reddit in which multiple users reported seeing malicious SSO logins on fully-patched FortiOS devices, with one user stating the "Fortinet developer team has confirmed the vulnerability persists or is not fixed in version 7.4.10." The Hacker News has reached out to Fortinet for comment, and we will update the story if we hear back. In the interim, it's advised to disable the "admin-forticloud-sso-login" setting. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cybersecurity, Firewall, Fortigate, Fortinet, FortiOS, Incident response, network security, Threat Intelligence, Vulnerability Trending News FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks Load More ▼ Popular Resources SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats Detect AI-Driven Threats Faster With Full Network Visibility [Guide] Learn How to Govern AI Agents With Proven Market Guidance [Demo] Discover SaaS Risks and Monitor Every App in Your Environment