Automated Attacks Target FortiGate Devices via FortiCloud SSO Vulnerability
Cybersecurity firm Arctic Wolf has identified a new wave of automated attacks targeting Fortinet’s FortiGate devices. These incidents, which began on January 15, 2026, involve unauthorized modifications to firewall configurations, posing significant security risks to affected organizations.
Background on the Vulnerability
The attacks exploit vulnerabilities CVE-2025-59718 and CVE-2025-59719, both rated with a CVSS score of 9.8, indicating their critical severity. These flaws allow unauthenticated attackers to bypass single sign-on (SSO) authentication via crafted SAML messages when the FortiCloud SSO feature is enabled. The affected products include FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.
Details of the Attack
Arctic Wolf’s analysis reveals that attackers are conducting malicious SSO logins using the account [email protected] from multiple IP addresses:
– 104.28.244[.]115
– 104.28.212[.]114
– 217.119.139[.]50
– 37.1.209[.]19
Following these logins, the attackers export firewall configuration files to the same IP addresses via the graphical user interface (GUI). Additionally, they create secondary accounts such as secadmin, itadmin, support, backup, remoteadmin, and audit to maintain persistent access. The rapid succession of these events suggests the use of automated scripts to execute the attacks efficiently.
Community Reports and Vendor Response
The cybersecurity community has corroborated these findings. A Reddit post from January 2026 highlights multiple users observing unauthorized SSO logins on fully patched FortiOS devices. One user noted that the Fortinet development team acknowledged the vulnerability’s persistence in version 7.4.10. The Hacker News has reached out to Fortinet for an official statement and will provide updates as they become available.
Mitigation Recommendations
To protect against these attacks, organizations should consider the following steps:
1. Disable FortiCloud SSO Login: Temporarily disable the admin-forticloud-sso-login setting to prevent unauthorized access through this vector.
2. Apply Security Patches: Regularly check for and apply security patches provided by Fortinet to address known vulnerabilities.
3. Monitor for Unauthorized Access: Implement continuous monitoring to detect unusual login activities and configuration changes.
4. Review User Accounts: Audit existing user accounts to identify and remove any unauthorized or suspicious entries.
5. Enhance Authentication Mechanisms: Consider implementing multi-factor authentication (MFA) to add an additional layer of security.
Conclusion
The exploitation of FortiCloud SSO vulnerabilities underscores the importance of proactive cybersecurity measures. Organizations using Fortinet products should remain vigilant, apply recommended mitigations, and stay informed about emerging threats to safeguard their network infrastructures.
