FortiGate Firewalls Compromised in Automated Attacks: Configuration Data at Risk
In a concerning development, FortiGate firewall devices have become the target of a sophisticated and automated cyberattack campaign. Beginning on January 15, 2026, threat actors have been observed executing unauthorized configuration changes, establishing persistence through the creation of generic administrative accounts, and exfiltrating sensitive firewall configuration data.
Background and Context
This recent wave of attacks bears a striking resemblance to incidents reported in December 2025, where malicious Single Sign-On (SSO) logins were detected shortly after Fortinet disclosed critical vulnerabilities identified as CVE-2025-59718 and CVE-2025-59719. These vulnerabilities allowed unauthenticated attackers to bypass SSO authentication mechanisms, granting them unauthorized access to Fortinet devices.
Arctic Wolf, a cybersecurity firm monitoring these developments, has noted that while the exact methods of initial access in the current campaign remain unconfirmed, the tactics employed mirror those used in previous SSO abuse incidents. The firm has activated detections to alert customers to suspicious activities, though Fortinet has yet to confirm whether existing patches fully mitigate this new wave of attacks.
Technical Details of the Vulnerabilities
In early December 2025, Fortinet issued security advisory FG-IR-25-647, detailing two critical authentication bypass flaws:
– CVE-2025-59718: An unauthenticated SAML SSO bypass vulnerability affecting FortiOS, FortiWeb, and FortiProxy.
– CVE-2025-59719: Another unauthenticated SAML SSO bypass vulnerability impacting FortiOS, FortiWeb, and FortiSwitchManager.
These vulnerabilities allowed attackers to craft malicious SAML messages, effectively bypassing SSO login mechanisms when FortiCloud SSO was enabled. Following the disclosure, Arctic Wolf observed unauthorized SSO logins on administrative accounts, leading to configuration data exfiltration and the establishment of persistent access through the creation of new administrative accounts.
Attack Chain Analysis
Arctic Wolf’s telemetry indicates that the recent attacks are highly automated, with multiple stages of the kill chain occurring within seconds:
1. Initial Access: Malicious SSO logins are initiated from specific hosting provider IP addresses. The primary account used for these intrusions is [email protected].
2. Exfiltration: Immediately following the login, the attacker triggers a download of the system configuration file via the GUI interface to the same source IP.
3. Persistence: To maintain access, the attackers create secondary administrative accounts. Common usernames observed include secadmin, itadmin, and remoteadmin.
Logs indicate that the time delta between the login, the configuration export, and the account creation is negligible, confirming the use of automated scripts.
Indicators of Compromise (IOCs)
Organizations should monitor the following IOCs for signs of compromise:
– Malicious Accounts:
– cloud-init@mail[.]io
– cloud-noc@mail[.]io
– Source IP Addresses:
– 104.28.244[.]115
– 104.28.212[.]114
– 217.119.139[.]50
– 37.1.209[.]19
– Persistence Accounts:
– secadmin
– itadmin
– support
– backup
– remoteadmin
– audit
Mitigation Strategies
To protect against these attacks, Fortinet users should:
1. Apply Patches Promptly: Monitor official Fortinet advisories and apply patches as soon as they become available.
2. Reset Credentials: If suspicious activity is detected, reset all credentials immediately, as hashed credentials can be cracked offline.
3. Restrict Management Interfaces: Limit access to management interfaces to trusted internal networks to prevent unauthorized access.
4. Disable FortiCloud SSO: As a temporary workaround, disable FortiCloud SSO by executing the following commands:
“`
config system global
set admin-forticloud-sso-login disable
end
“`
5. Monitor for IOCs: Regularly review FortiGate logs and hunt for the indicators of compromise listed above.
Conclusion
The recent automated attacks on FortiGate firewalls underscore the critical importance of timely vulnerability management and proactive monitoring. Organizations must remain vigilant, apply security patches promptly, and implement robust access controls to safeguard their networks against evolving cyber threats.
