Automated Attacks Target FortiGate Devices via FortiCloud SSO Flaw

Cybersecurity firm Arctic Wolf has issued a warning about a new wave of automated attacks targeting Fortinet FortiGate firewall devices. According to the company, attackers are exploiting weaknesses in FortiCloud Single Sign-On (SSO) to gain unauthorized access and make harmful changes to firewall configurations. This malicious activity was first detected on January 15, 2026.

The latest attacks show strong similarities to an earlier campaign observed in December 2025. In both cases, threat actors used malicious SSO login attempts to access FortiGate devices by abusing vulnerabilities tracked as CVE-2025-59718 and CVE-2025-59719. These security flaws allow attackers to bypass authentication checks using specially crafted SAML messages when FortiCloud SSO is enabled.

Automated Attacks Target FortiGate Devices via FortiCloud SSO Flaw

These vulnerabilities affect several Fortinet products, including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. Even more concerning is that some users have reported seeing these attacks on devices that were fully patched, raising questions about whether the issue has been fully resolved.

Arctic Wolf explained that the attackers’ main goal appears to be persistence and long-term access. Once inside a device, the attackers create generic administrator accounts that blend in with legitimate system users. Some of the account names observed include “secadmin,” “itadmin,” “support,” “backup,” “remoteadmin,” and “audit.” These accounts are then granted VPN access, allowing attackers to reconnect to the network whenever needed.

In addition to creating new accounts, the attackers have been seen exporting firewall configuration files. These files can contain sensitive information, such as network rules, IP addresses, and security policies. Arctic Wolf reported that configuration files were exfiltrated through the FortiGate graphical interface and sent to the same IP addresses used for the initial malicious logins.

The activity appears to be highly automated. Arctic Wolf noted that account creation, VPN configuration changes, and data exfiltration all occurred within seconds of each other. This suggests the attackers are using scripts or automated tools to quickly compromise devices before security teams can respond.

See Also: Beware! This New LinkedIn Job Could Be a Cyberattack – Here’s How to Stay Safe

Several source IP addresses have been linked to the attacks, including IPs associated with different hosting providers. This approach makes it harder to block the activity using simple network-based defenses.

The disclosure has gained further attention after multiple users reported similar incidents on Reddit. One user claimed that Fortinet developers acknowledged that the vulnerability may still exist or may not be fully fixed in FortiOS version 7.4.10. As of now, Fortinet has not issued a public response, and cybersecurity researchers are continuing to monitor the situation.

Until more clarity is provided, security experts strongly recommend disabling the “admin-forticloud-sso-login” setting if it is not absolutely required. Organizations using Fortinet devices should also review their admin accounts, check for unknown users, monitor VPN access logs, and rotate credentials where possible.

This incident highlights the ongoing risks associated with identity-based attacks and the importance of continuous monitoring, even on fully patched systems.