Cybersecurity firm Arctic Wolf has issued a critical warning regarding a "new cluster of automated malicious activity" targeting Fortinet FortiGate devices. Starting around mid-January 2026, attackers have been observed exploiting FortiCloud Single Sign-On (SSO) vulnerabilities to perform unauthorized firewall configuration changes and exfiltrate sensitive data. This campaign bears a striking resemblance to a December 2025 attack wave involving CVE-2025-59718 and CVE-2025-59719, which allow for an unauthenticated bypass of SSO authentication via crafted SAML messages. Threat actors are using a malicious account, "cloud-init@mail.io," and creating several secondary administrative accounts to maintain persistence on affected networks. Perhaps most concerning are reports from the community suggesting that even fully patched devices, including FortiOS version 7.4.10, may still be susceptible to these exploits. This guide covers the specific indicators of compromise, including known malicious IP addresses, and provides the immediate mitigation step of disabling the FortiCloud SSO login feature to protect your infrastructure from these rapid, automated attacks.
