top of page
perceptive_background_267k.jpg

Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations

Published:

22 January 2026 at 05:55:00

Alert date:

22 January 2026 at 08:01:05

Source:

thehackernews.com

Click to open the original link from this advisory

Network Infrastructure, Zero-Day Vulnerabilities, Identity & Access

Arctic Wolf has identified a new cluster of automated malicious activity targeting Fortinet FortiGate devices. The attacks involve unauthorized firewall configuration changes through exploitation of FortiCloud SSO. The campaign began on January 15, 2026, and shows similarities to previous December 2025 attacks that involved malicious SSO logins against admin accounts on FortiGate appliances. The automated nature and targeting of critical network infrastructure devices makes this a high-priority security concern.

Technical details

Automated malicious activity targeting Fortinet FortiGate devices through unauthorized firewall configuration changes. Attackers exploit FortiCloud SSO vulnerabilities to bypass authentication via crafted SAML messages. The campaign involves malicious SSO logins against account 'cloud-init@mail.io', creation of persistence accounts (secadmin, itadmin, support, backup, remoteadmin, audit), configuration changes to grant VPN access, and exfiltration of firewall configuration files via GUI interface. All activities occur within seconds indicating automated execution.

Mitigation steps:

Disable the 'admin-forticloud-sso-login' setting on FortiGate devices. Monitor for unauthorized account creation with names like secadmin, itadmin, support, backup, remoteadmin, and audit. Watch for malicious SSO login attempts and unauthorized configuration file exports.

Affected products:

Fortinet FortiGate devices
FortiOS
FortiWeb
FortiProxy
FortiSwitchManager

Related links:

https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-configuration-changes-fortinet-fortigate-devices-via-sso-accounts/
https://thehackernews.com/2025/12/fortinet-fortigate-under-active-attack.html
https://www.reddit.com/r/fortinet/comments/1qibdcb/possible_new_sso_exploit_cve202559718_on_749/

Related CVE's:

Related threat actors:

IOC's:

104.28.244.115, 104.28.212.114, 217.119.139.50, 37.1.209.19, cloud-init@mail.io

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page