A new cluster of automated malicious activity targeting FortiGate firewall devices. Beginning January 15, 2026, threat actors have been observed executing unauthorized configuration changes, establishing persistence through generic accounts, and exfiltrating sensitive firewall configuration data.
This campaign echoes a December 2025 incident involving malicious SSO logins shortly after Fortinet disclosed critical vulnerabilities CVE-2025-59718 and CVE-2025-59719.
Arctic Wolf notes that initial access methods remain unconfirmed, but the tactics mirror prior SSO abuse. Detections are active, alerting customers to suspicious activity. Fortinet has yet to confirm if existing patches fully mitigate this wave.
In early December 2025, Fortinet issued FG-IR-25-647, detailing two critical authentication bypass flaws. Attackers craft malicious SAML messages to bypass SSO login when FortiCloud SSO is enabled.
| CVE ID | Description | Severity | Affected Products |
|---|---|---|---|
| CVE-2025-59718 | Unauth SAML SSO bypass | Critical | FortiOS, FortiWeb, FortiProxy |
| CVE-2025-59719 | Unauth SAML SSO bypass | Critical | FortiOS, FortiWeb, FortiSwitchManager |
Post-disclosure, Arctic Wolf observed SSO logins on admin accounts, followed by config dumps and persistence. It’s unclear if the January attacks leverage the same flaws or patched variants.
Attack Chain
Arctic Wolf’s telemetry indicates that the attacks are highly automated, with multiple stages of the kill chain occurring within seconds of one another.
- Initial Access: Malicious SSO logins are initiated from specific hosting provider IP addresses. The primary account used for these intrusions is [email protected].
- Exfiltration: Immediately following the login, the attacker triggers a download of the system configuration file via the GUI interface to the same source IP.
- Persistence: To maintain access, the attackers create secondary administrative accounts. Common usernames observed include secadmin, itadmin, and remoteadmin.
Logs indicate that the time delta between the login, the configuration export, and the account creation is negligible, confirming the use of automated scripts.
Indicators of Compromise
Monitor these IOCs for signs of compromise:
| IOC | Type | Description |
|---|---|---|
| cloud-init@mail[.]io | Malicious account | Used for logins and config exfiltration |
| cloud-noc@mail[.]io | Malicious account | Used for logins and config exfiltration |
| 104.28.244[.]115 | Source IP | Observed in SSO logins and downloads |
| 104.28.212[.]114 | Source IP | Observed in intrusions |
| 217.119.139[.]50 | Source IP | Observed in intrusions |
| 37.1.209[.]19 | Source IP | Observed in intrusions |
| secadmin | Persistence acct | Created post-access |
| itadmin | Persistence acct | Created post-access |
| support | Persistence acct | Created post-access |
| backup | Persistence acct | Created post-access |
| remoteadmin | Persistence acct | Created post-access |
| audit | Persistence acct | Created post-access |
Mitigations
Fortinet users should monitor official advisories and apply patches promptly (upgrade guide). Reset all credentials if activity matches—hashed creds can be cracked offline.
Restrict management interfaces to trusted internal networks, a best practice against mass scans. As a workaround, disable FortiCloud SSO:
textconfig system global
set admin-forticloud-sso-login disable
end
Organizations should hunt for these IOCs and review FortiGate logs immediately.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
