Automated Attacks Target FortiGate Devices via FortiCloud SSO Vulnerabilities
Cybersecurity firm Arctic Wolf has identified a new wave of automated cyberattacks targeting Fortinet FortiGate devices. These attacks, which began on January 15, 2026, exploit vulnerabilities in the FortiCloud single sign-on (SSO) feature to gain unauthorized access and modify firewall configurations.
Background on the Vulnerabilities
The vulnerabilities in question, designated as CVE-2025-59718 and CVE-2025-59719, allow attackers to bypass SSO authentication by sending specially crafted Security Assertion Markup Language (SAML) messages. This bypass is possible when the FortiCloud SSO feature is enabled on affected devices, including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. These flaws were previously exploited in December 2025, leading to unauthorized SSO logins on FortiGate appliances.
Details of the Recent Attacks
In the latest series of attacks, threat actors have been observed performing malicious SSO logins using the email address [email protected] from the following IP addresses:
– 104.28.244[.]115
– 104.28.212[.]114
– 217.119.139[.]50
– 37.1.209[.]19
Following these unauthorized logins, attackers have exported firewall configuration files to the same IP addresses via the graphical user interface (GUI). Additionally, they have created secondary accounts with names such as secadmin, itadmin, support, backup, remoteadmin, and audit to maintain persistent access. The rapid succession of these events suggests the use of automated tools in the attack process.
Community Reports and Vendor Response
The cybersecurity community has taken note of these incidents. A Reddit post highlighted multiple users experiencing malicious SSO logins on fully patched FortiOS devices. One user mentioned that the Fortinet development team acknowledged the persistence of the vulnerability in version 7.4.10. In response to these findings, Arctic Wolf recommends disabling the admin-forticloud-sso-login setting as a precautionary measure.
Implications and Recommendations
The exploitation of these vulnerabilities underscores the critical importance of timely patch management and vigilant monitoring of network devices. Organizations using Fortinet products should take the following steps to mitigate potential risks:
1. Disable FortiCloud SSO Login: Until a comprehensive fix is available, disable the admin-forticloud-sso-login feature to prevent unauthorized access.
2. Review and Update Configurations: Regularly audit firewall configurations to detect any unauthorized changes or additions.
3. Monitor for Suspicious Activity: Implement continuous monitoring to identify unusual login attempts or configuration modifications.
4. Apply Security Patches Promptly: Stay informed about security updates from Fortinet and apply patches as soon as they are released.
5. Limit Administrative Access: Restrict administrative access to trusted personnel and consider implementing multi-factor authentication (MFA) for an added layer of security.
Conclusion
The recent automated attacks on FortiGate devices highlight the evolving tactics of cyber adversaries and the necessity for proactive security measures. By addressing known vulnerabilities and adhering to best practices, organizations can enhance their defenses against such sophisticated threats.
