Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations

[Divergent]

Content source

https://thehackernews.com/2026/01/automated-fortigate-attacks-exploit.html

Cybersecurity company Arctic Wolf has warned of a "new cluster of automated malicious activity" that involves unauthorized firewall configuration changes on Fortinet FortiGate devices.

The activity, it said, commenced on January 15, 2026, adding it shares similarities with a December 2025 campaign in which malicious SSO logins on FortiGate appliances were recorded against the admin account from different hosting providers by exploiting CVE-2025-59718 and CVE-2025-59719.

Both vulnerabilities allow for unauthenticated bypass of SSO login authentication via crafted SAML messages when the FortiCloud single sign-on (SSO) feature is enabled on affected Devices. The shortcomings impact FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.

Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations

Arctic Wolf reports automated attacks on FortiGate devices abusing FortiCloud SSO flaws to change firewall settings and steal configurations.

thehackernews.com

 

[Divergent]

Exploitation Vector
The attackers leverage CVE-2025-59718 and CVE-2025-59719 to bypass SSO login authentication using crafted SAML messages.

This targets devices where the FortiCloud SSO feature is enabled.

Initial Access & Exfiltration
The attack initiates a malicious SSO login using the account identifier cloud-init@mail[.]io.

Upon access, the attackers immediately export the firewall configuration file via the GUI interface to their controlled IP addresses.

Persistence Mechanisms
Following data exfiltration, the automated script creates multiple secondary accounts to maintain access.

Observed Usernames
secadmin, itadmin, support, backup, remoteadmin, audit.

Configuration changes are made to grant these accounts VPN access.

Network Indicators of Compromise (IOCs)
The following source IP addresses have been observed performing the attacks and receiving exfiltrated configurations:

104.28.244[.]115

104.28.212[.]114

217.119.139[.]50

37.1.209[.]19

Remediation & Mitigation Plan

Immediate Hardening (Critical)
Disable the FortiCloud SSO login feature on all FortiGate appliances immediately. This is the primary vector for this campaign.

config system global
set admin-forticloud-sso-login disable
end

Account Audit (Proof of Absence)
Inspect your user list for the following unauthorized accounts. If found, remove them immediately and consider the device compromised.

cloud-init@mail[.]io (Used for initial login)

secadmin, itadmin, support, backup, remoteadmin, audit

Network Blocklist
Add the identified attacker IPs to your blocklist/blackhole policies:

104.28.244[.]115

104.28.212[.]114

217.119.139[.]50

37.1.209[.]19

Forensic Review
Check system logs for configuration exports or VPN policy changes occurring around the time of any suspicious SSO logins. Note that reports indicate this vulnerability may persist even in version 7.4.10, making the configuration change (Step 1) critical regardless of patch status.

Verification Matrix

NIST NVD entries for CVE-2025-59718 and CVE-2025-59719.

CISA KEV Catalog addition (Added Dec 16, 2025).

Fortinet PSIRT Advisory FG-IR-25-647.

Arctic Wolf & Rapid7 technical breakdowns.