Cybersecurity company Arctic Wolf has warned of a “new cluster of automated malicious activity” that involves unauthorized firewall configuration changes on Fortinet FortiGate devices.
The activity, it said, commenced on January 15, 2026, adding it shares similarities with a December 2025 campaign in which malicious SSO logins on FortiGate appliances were recorded against the admin account from different hosting providers by exploiting CVE-2025-59718 and CVE-2025-59719.
Both vulnerabilities allow for unauthenticated bypass of SSO login authentication via crafted SAML messages when the FortiCloud single sign-on (SSO) feature is enabled on affected Devices. The shortcomings impact FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.
“This activity involved the creation of generic accounts intended for persistence, configuration changes granting VPN access to those accounts, as well as exfiltration of firewall configurations,” Arctic Wolf said of the developing threat cluster.
Specifically, this entails carrying out malicious SSO logins against a malicious account “[email protected]” from four different IP addresses, following which the firewall configuration files are exported to the same IP addresses via the GUI interface. The list of source IP addresses is below –
- 104.28.244[.]115
- 104.28.212[.]114
- 217.119.139[.]50
- 37.1.209[.]19
In addition, the threat actors have been observed creating secondary accounts, such as “secadmin,” “itadmin,” “support,” “backup,” “remoteadmin,” and “audit,” for persistence.
“All of the above events took place within seconds of each other, indicating the possibility of automated activity,” Arctic Wolf added.
The disclosure coincides with a post on Reddit in which multiple users reported seeing malicious SSO logins on fully-patched FortiOS devices, with one user stating the “Fortinet developer team has confirmed the vulnerability persists or is not fixed in version 7.4.10.”
The Hacker News has reached out to Fortinet for comment, and we will update the story if we hear back. In the interim, it’s advised to disable the “admin-forticloud-sso-login” setting.
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
