Full Report
Cybersecurity company Arctic Wolf has warned of a "new cluster of automated malicious activity" that involves unauthorized firewall configuration changes on Fortinet FortiGate devices. The activity, it said, commenced on January 15, 2026, adding it shares similarities with a December 2025 campaign in which malicious SSO logins on FortiGate appliances were recorded against the admin account from
Analysis Summary
# Incident Report: Unauthorized FortiGate Configuration Changes via Malicious SSO
## Executive Summary
A cluster of automated malicious activity began on January 15, 2026, targeting Fortinet FortiGate devices. Threat actors exploited vulnerabilities (similar to those exploited in December 2025 campaigns) to gain unauthorized access via crafted SAML messages against the FortiCloud SSO feature. This resulted in the creation of persistence accounts, unauthorized VPN access grants, and the exfiltration of firewall configuration files. The rapid execution suggests automated exploitation.
## Incident Details
- Discovery Date: January 15, 2026 (Activity commenced, discovery by Arctic Wolf)
- Incident Date: Commenced January 15, 2026
- Affected Organization: Unspecified organizations utilizing FortiGate devices with FortiCloud SSO enabled.
- Sector: Unspecified (Applies broadly to environments using affected Fortinet products)
- Geography: Global (Implied by the nature of cloud/internet-facing services)
## Timeline of Events
### Initial Access
- Date/Time: Commenced January 15, 2026 (Events occurred within seconds of each other)
- Vector: Exploitation of vulnerabilities (similar to CVE-2025-59718 and CVE-2025-59719) leading to unauthenticated bypass of SSO login authentication.
- Details: Malicious SSO logins were performed against the account **"[email protected]"** using crafted SAML messages when the FortiCloud SSO feature was enabled.
### Lateral Movement
- Date/Time: Approximately simultaneous with Initial Access/Persistence establishment.
- Details: Threat actors created several secondary generic accounts (e.g., "secadmin," "itadmin," "support," "backup," "remoteadmin," and "audit") for persistence. Configuration changes were made to grant these new accounts VPN access.
### Data Exfiltration/Impact
- Date/Time: Following establishment of persistence and account creation.
- Details: Firewall configuration files were exported via the GUI interface to the source IP addresses used in the initial access phase.
### Detection & Response
- Date/Time: After commencement on January 15, 2026 (Reported by Arctic Wolf).
- Details: Arctic Wolf identified the automated activity cluster. Recommended immediate action was to disable the **"admin-forticloud-sso-login"** setting.
## Attack Methodology
- Initial Access: Exploitation of FortiCloud SSO authentication bypass via crafted SAML messages exploiting known critical vulnerabilities affecting various Fortinet products (likely FortiOS, FortiWeb, FortiProxy, FortiSwitchManager).
- Persistence: Creation of multiple generic user accounts ("secadmin," "itadmin," etc.).
- Privilege Escalation: Implicit, as the goal was to execute configuration changes (which requires administrative rights, likely gained through the SSO bypass or creation of initial privileged accounts).
- Defense Evasion: High automation suggests the attack was designed for speed and to cycle through access points quickly.
- Credential Access: Not explicitly mentioned for *local* credentials, but initial authentication was bypassed via SSO weakness.
- Discovery: Implied reconnaissance to identify configuration file locations.
- Lateral Movement: Creating new user accounts and granting them VPN access.
- Collection: Exporting of firewall configuration files.
- Exfiltration: Exporting configuration files to attacker-controlled IP addresses via the GUI.
- Impact: Unauthorized configuration changes, creation of backdoors, and theft of security architecture/policy details (firewall configurations).
## Impact Assessment
- Financial: Not specified.
- Data Breach: Export of firewall configuration files (sensitive network security architecture data).
- Operational: Potential for unauthorized VPN access post-compromise and subsequent operational disruption if configurations were maliciously altered.
- Reputational: Potential negative impact for affected organizations due to exposure of security weaknesses.
## Indicators of Compromise
- Source IP Addresses (Attacker IPs):
- 104.28.244[.]115 (Defanged)
- 104.28.212[.]114 (Defanged)
- 217.119.139[.]50 (Defanged)
- 37.1.209[.]19 (Defanged)
- Usernames Created: **"[email protected]"** (used for initial login), "secadmin," "itadmin," "support," "backup," "remoteadmin," "audit."
- Behavioral Indicators: Rapid sequence of malicious SSO logins followed immediately by configuration exports (occurring "within seconds of each other").
## Response Actions
- Containment: Disabling the **"admin-forticloud-sso-login"** setting (per Arctic Wolf recommendation).
- Eradication: Deletion of newly created malicious accounts ("secadmin," "itadmin," etc.) and revoking any granted VPN access.
- Recovery: Reviewing and reverting any unauthorized firewall configuration changes. Confirming all exported configuration data has been secured/wiped from attacker control (if possible).
## Lessons Learned
- The continued effectiveness of automated attacks leveraging weaknesses in SSO authentication mechanisms (confirmed to exist even in recently patched versions, e.g., FortiOS 7.4.10).
- The critical nature of rapidly disabling or isolating newly created persistence mechanisms (generic administrator accounts).
- Reliance on automated tooling allows threats to execute complex stages (login, account creation, configuration export) in rapid succession, demanding equally fast detection and response.
## Recommendations
1. **Immediate Mitigation:** Organizations must immediately disable the "admin-forticloud-sso-login" setting on all affected FortiGate devices until a definitive, verified patch is deployed and confirmed effective.
2. **Software Patching:** Ensure all Fortinet products (FortiOS, FortiWeb, etc.) are updated to versions explicitly validated to fix CVE-2025-59718 and CVE-2025-59719.
3. **Monitoring Enhancement:** Increase monitoring around FortiGate GUI access and administrative account creation events, especially those originating from SSO flows, looking for highly repetitive or suspicious activity patterns.
4. **Account Review:** Conduct a sweeping audit of all administrative and service accounts, paying close attention to generic names used for persistence.