Automated FortiGate SSO Attacks Exploit Firewalls

Cybersecurity firm Arctic Wolf has issued a stark warning regarding a “new cluster of automated malicious activity” targeting Fortinet FortiGate devices. This activity involves unauthorized firewall configuration changes, and it’s happening fast.

The campaign reportedly kicked off on January 15, 2026. It bears a close resemblance to a December 2025 wave where malicious SSO logins were recorded against admin accounts by exploiting two specific vulnerabilities: CVE-2025-59718 and CVE-2025-59719.

Understanding the Vulnerabilities

Both of these flaws allow an unauthenticated attacker to bypass SSO login authentication. They do this by using specially crafted SAML messages when the FortiCloud single sign-on (SSO) feature is enabled.

It’s not just FortiGate, either. These shortcomings impact several Fortinet products, including:

• FortiOS
• FortiWeb
• FortiProxy
• FortiSwitchManager

The Attack Pattern: Automation and Persistence

According to Arctic Wolf, this isn’t just a manual probe. “This activity involved the creation of generic accounts intended for persistence, configuration changes granting VPN access to those accounts, as well as exfiltration of firewall configurations,” the firm noted.

The threat actors typically use a malicious account labeled cloud-init@mail.io. They connect from a specific set of IP addresses and then quickly export the firewall configuration files via the GUI.

Watch out for these source IP addresses:

• 104.28.244[.]115
• 104.28.212[.]114
• 217.119.139[.]50
• 37.1.209[.]19

To stay hidden, the actors also create secondary “decoy” accounts to maintain access. If you see new accounts named secadmin, itadmin, support, backup, remoteadmin, or audit that you didn’t create, you likely have a problem.

Now, here’s the kicker: all of these events—from login to configuration export—take place within seconds of each other. That clearly points to a highly automated attack script.

Is the Patch Enough?

There is some worrying news coming from the community. A recent discussion on Reddit highlighted that multiple users are seeing these malicious SSO logins even on fully-patched FortiOS devices. One user even claimed that the Fortinet developer team confirmed the vulnerability might still persist in version 7.4.10.

While we wait for official confirmation or a new patch, the advice from experts is clear. If you don’t absolutely need it, you should disable the FortiCloud SSO login feature immediately.

How to Mitigate

In the interim, the best way to protect your infrastructure is to disable the admin-forticloud-sso-login setting.

Stay vigilant. If you’re running Fortinet gear, now is the time to audit your admin logs for any sign of cloud-init@mail.io or the IP addresses listed above. It’s better to be safe than sorry when automation is involved.