In a troubling development for network security, Arctic Wolf, a prominent cybersecurity firm, has alerted the public about a "new wave of automated malicious activities" that is exploiting vulnerabilities in Fortinet FortiGate devices. This alarming trend involves unauthorized alterations to firewall configurations, raising significant concerns for organizations relying on these systems.
The unsettling activity began on January 15, 2026, and bears a striking resemblance to a previous campaign from December 2025, where malicious single sign-on (SSO) logins were detected targeting the admin accounts of FortiGate appliances. This exploitation takes advantage of specific vulnerabilities identified as CVE-2025-59718 and CVE-2025-59719, which permit unauthorized users to bypass SSO login authentication using specially crafted SAML messages when the FortiCloud SSO feature is activated on impacted devices. These weaknesses affect a range of Fortinet products, including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.
Arctic Wolf elaborated on this emerging threat cluster, stating, "This activity involved creating generic accounts aimed at maintaining persistent access, implementing configuration changes that allow VPN access to these accounts, and exfiltrating firewall configurations." In simpler terms, cybercriminals are establishing accounts that enable them to control the system and make changes that can compromise security.
More specifically, the attackers conducted malicious SSO logins using an account labeled "cloud-init@mail.io" from four distinct IP addresses. Following these unauthorized logins, they proceeded to export firewall configuration files to the same IP addresses via the graphical user interface (GUI). Here are the suspicious IP addresses associated with this activity:
- 104.28.244[.]115
- 104.28.212[.]114
- 217.119.139[.]50
- 37.1.209[.]19
Furthermore, the threat actors have been noted to create additional secondary accounts with names such as "secadmin," "itadmin," "support," "backup," "remoteadmin," and "audit"—these are likely intended to ensure continued access to the systems even if one entry point is compromised.
Arctic Wolf highlighted that all these events happened in rapid succession, supporting the idea that this is an automated process rather than manual intervention.
Interestingly, this disclosure aligns with discussions on Reddit, where several users have reported encountering malicious SSO logins on their fully-patched FortiOS devices. One user even mentioned that the "Fortinet developer team has confirmed the vulnerability still exists or remains unaddressed in version 7.4.10."
The Hacker News has reached out to Fortinet for further insights on this issue and will provide updates as information becomes available. In the meantime, experts recommend disabling the "admin-forticloud-sso-login" setting to mitigate any potential risks.
What do you think about these recent findings? Are you concerned about the effectiveness of security measures being implemented by companies like Fortinet? Share your thoughts in the comments below!
