New Campaign Targets FortiGate Firewalls with Unauthorized Config Changes

A fresh wave of automated cyberattacks is targeting FortiGate firewalls, exploiting unauthorized access to create backdoors and steal sensitive configuration data. Security researchers at Arctic Wolf have been tracking the campaign since mid-January 2026, warning that the attacks are swift, automated, and aimed at establishing long-term persistence on compromised networks.

The activity, which began on January 15, 2026, mirrors tactics seen in late 2025 but introduces new indicators that suggest a developing threat landscape for network administrators.

The attack vector centers on unauthorized Single Sign-On (SSO) logins, a technique that allows attackers to bypass standard authentication screens. “In recently observed intrusions, malicious SSO logins originated from a handful of hosting providers,” the report notes.

The attackers typically use generic but effective account names like cloud-init@mail.io or cloud-noc@mail.io to log in as administrators. Once inside, the operation moves at machine speed.

“All of the above events took place within seconds of each other, indicating the possibility of automated activity,” Arctic Wolf researchers explained.

The primary goal of the intrusion appears to be twofold: data theft and backdoor creation.

• Exfiltration: Immediately after logging in, the attackers download the firewall’s configuration file. “System config file has been downloaded by user cloud-init@mail.io via GUI,” logs from a compromised device reveal. This file often contains hashed credentials, network maps, and policy rules.
• Persistence: To ensure they can return, the attackers create secondary administrative accounts with names like secadmin, backup, or support.

The campaign bears a striking resemblance to activity linked to CVE-2025-59718 and CVE-2025-59719, two critical authentication bypass vulnerabilities disclosed in December 2025. These flaws allowed attackers to bypass SSO authentication using crafted SAML messages.

However, it remains unclear if this new wave is exploiting the same bugs or a new variant. “It is not known at this time whether the latest threat activity observed is fully covered by the patch that initially addressed CVE-2025-59718 and CVE-2025-59719”.

Arctic Wolf advises administrators to treat this as an active threat.

• Disable SSO: If possible, turn off the FortiCloud SSO login feature temporarily. This can be done via the CLI command: set admin-forticloud-sso-login disable.
• Reset Credentials: If you find evidence of these malicious logins, assume your configuration has been stolen. “Assume that hashed firewall credentials stored in exfiltrated configurations have been compromised, and reset those credentials as soon as possible”.
• Limit Access: Restrict management interfaces to trusted internal networks to reduce the attack surface.

Related Posts:

• Critical FortiGate SSO Flaw Under Active Exploitation: Attackers Bypass Auth and Exfiltrate Configs
• Fortinet FortiGate Firewalls Targeted in Sophisticated Campaign Exploiting Management Interfaces
• Critical ScreenConnect Flaw (CVE-2025-14265) Risks Config Exposure & Untrusted Extension Installation
• Akamai Unveils New VPN Post-Exploitation Techniques: Major Vulnerabilities Discovered in Ivanti and FortiGate VPNs