Cybersecurity firm Arctic Wolf has issued a warning regarding a new wave of automated malicious activity targeting Fortinet FortiGate devices. This sophisticated threat involves unauthorized configuration changes, including the creation of persistent user accounts and the exfiltration of sensitive firewall data, commencing on January 15, 2026.
The ongoing campaign exhibits striking similarities to a previous incident in December 2025. In that campaign, attackers exploited two critical vulnerabilities, CVE-2025-59718 and CVE-2025-59719, to bypass single sign-on (SSO) authentication on FortiGate appliances. These vulnerabilities, when present and enabled via the FortiCloud SSO feature, allow unauthenticated access to administrative functions through specially crafted SAML messages. The affected products include FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.
Fortinet FortiGate Vulnerability Exploited for Network Intrusion
The current cluster of malicious activity, as detailed by Arctic Wolf, centers on unauthorized SSO logins to a specific malicious account, “[email protected].” These logins originate from a small set of four distinct IP addresses, suggesting a coordinated and potentially automated attack vector. Following successful, albeit illicit, authentication, threat actors are observed creating generic administrative accounts for persistence. These newly created accounts, such as “secadmin,” “itadmin,” “support,” “backup,” “remoteadmin,” and “audit,” are then granted VPN access. This strategic maneuver allows attackers to maintain a foothold within the compromised network.
Furthermore, the attackers are actively exfiltrating the firewall’s configuration files. This data is exported to the same IP addresses from which the malicious SSO logins originated, directly accessible through the device’s graphical user interface (GUI). Arctic Wolf notes that the rapid succession of these events, occurring within seconds of each other, strongly indicates the use of automation in executing these malicious actions.
The listed source IP addresses associated with this activity are: 104.28.244[.]115, 104.28.212[.]114, 217.119.139[.]50, and 37.1.209[.]19. The precise nature of the compromised configurations or the intended downstream impact of this data exfiltration remains under investigation.
User Reports and Fortinet’s Response
This disclosure from Arctic Wolf aligns with recent reports from users on platforms like Reddit. Multiple individuals have reported observing unauthorized and malicious SSO login attempts on their Fortinet FortiGate devices, even on systems that are fully patched. One user specifically mentioned that the “Fortinet developer team has confirmed the vulnerability persists or is not fixed in version 7.4.10,” highlighting ongoing concerns about the effectiveness of current security patches.
The Hacker News has reached out to Fortinet for an official comment on these findings and the reported persistence of the vulnerability. An update to this story will be provided should Fortinet respond. In the interim, cybersecurity professionals are advised to proactively disable the “admin-forticloud-sso-login” setting on their FortiGate devices to mitigate the immediate risk posed by these specific exploitation methods. This precautionary measure is crucial for preventing unauthorized access and potential data breaches.
The ongoing investigation into this Fortinet FortiGate vulnerability and the new cluster of automated malicious activity will likely focus on identifying the full scope of compromised devices and the ultimate goals of the threat actors. The security community awaits further clarification from Fortinet regarding the remediation status of CVE-2025-59718 and CVE-2025-59719 and expects that forthcoming security advisories will provide clear guidance for fortifying affected systems.