Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations

Published:

22 januari 2026 om 05:55:00

Alert date:

22 januari 2026 om 08:01:05

Source:

thehackernews.com

Network Infrastructure, Zero-Day Vulnerabilities, Identity & Access

Arctic Wolf has identified a new cluster of automated malicious activity targeting Fortinet FortiGate devices. The attacks involve unauthorized firewall configuration changes through exploitation of FortiCloud SSO. The campaign began on January 15, 2026, and shows similarities to previous December 2025 attacks that involved malicious SSO logins against admin accounts on FortiGate appliances. The automated nature and targeting of critical network infrastructure devices makes this a high-priority security concern.

Technical details

Automated malicious activity targeting Fortinet FortiGate devices through unauthorized firewall configuration changes. Attackers exploit FortiCloud SSO vulnerabilities to bypass authentication via crafted SAML messages. The campaign involves malicious SSO logins against account 'cloud-init@mail.io', creation of persistence accounts (secadmin, itadmin, support, backup, remoteadmin, audit), configuration changes to grant VPN access, and exfiltration of firewall configuration files via GUI interface. All activities occur within seconds indicating automated execution.

Mitigation steps:

Disable the 'admin-forticloud-sso-login' setting on FortiGate devices. Monitor for unauthorized account creation with names like secadmin, itadmin, support, backup, remoteadmin, and audit. Watch for malicious SSO login attempts and unauthorized configuration file exports.

Affected products:

Fortinet FortiGate devices
FortiOS
FortiWeb
FortiProxy
FortiSwitchManager