Cybersecurity firm Arctic Wolf warned of a “new cluster of automated malicious activity” involving unauthorized firewall configuration changes on Fortinet FortiGate devices.
The group said the campaign began on January 15, 2026, adding that it bears similarities to a December 2025 campaign in which malicious SSO logins on FortiGate appliances were recorded against administrator accounts from various hosting providers, exploiting CVE-2025-59718 and CVE-2025-59719.
Both vulnerabilities could allow unauthenticated bypass of SSO login authentication via a crafted SAML message if the FortiCloud Single Sign-On (SSO) feature is enabled on an affected device. This shortcoming affects FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.
“This activity included creating general-purpose accounts for persistence, making configuration changes to allow VPN access to those accounts, and compromising firewall configurations,” Arctic Wolf said of the developing threat cluster.
Specifically, this involves performing a malicious SSO login to the malicious account “cloud-init@mail.io” from four different IP addresses, and then exporting a firewall configuration file to the same IP address via the GUI interface. The list of source IP addresses is as follows –
104.28.244[.]115 104.28.212[.]114 217.119.139[.]50 37.1.209[.]19
Additionally, attackers have been observed creating secondary accounts such as ‘secadmin’, ‘itadmin’, ‘support’, ‘backup’, ‘remoteadmin’, and ‘audit’ for persistence.
“All of the above events occurred within seconds of each other, indicating the possibility of automated activity,” Arctic Wolf added.
This disclosure coincides with a post on Reddit where multiple users reported seeing malicious SSO logins on fully patched FortiOS devices, with one user stating, “The Fortinet development team has confirmed that the vulnerability persists or is not fixed in version 7.4.10.”
Hacker News has reached out to Fortinet for comment and will update the article if we hear back. For the time being, we recommend disabling the “admin-forticloud-sso-login” setting.
Source link
