dark
Hand-Picked Top-Read Stories
Trending Tags
2 minute read

Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations

info@thehackernews.com (The Hacker News)
January 22, 2026
Cybersecurity company Arctic Wolf has warned of a “new cluster of automated malicious activity” that involves unauthorized firewall configuration changes on Fortinet FortiGate devices. The activity, it said, commenced on January 15, 2026, adding it shares similarities with a December 2025 campaign in which malicious SSO logins on FortiGate appliances were recorded against the admin account from
Total
0
Shares
0
0
0
[[{“value”:”

Cybersecurity company Arctic Wolf has warned of a “new cluster of automated malicious activity” that involves unauthorized firewall configuration changes on Fortinet FortiGate devices.

The activity, it said, commenced on January 15, 2026, adding it shares similarities with a December 2025 campaign in which malicious SSO logins on FortiGate appliances were recorded against the admin account from different hosting providers by exploiting CVE-2025-59718 and CVE-2025-59719.

Both vulnerabilities allow for unauthenticated bypass of SSO login authentication via crafted SAML messages when the FortiCloud single sign-on (SSO) feature is enabled on affected Devices. The shortcomings impact FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.

Cybersecurity

“This activity involved the creation of generic accounts intended for persistence, configuration changes granting VPN access to those accounts, as well as exfiltration of firewall configurations,” Arctic Wolf said of the developing threat cluster.

Specifically, this entails carrying out malicious SSO logins against a malicious account “cloud-init@mail.io” from four different IP addresses, following which the firewall configuration files are exported to the same IP addresses via the GUI interface. The list of source IP addresses is below –

  • 104.28.244[.]115
  • 104.28.212[.]114
  • 217.119.139[.]50
  • 37.1.209[.]19

In addition, the threat actors have been observed creating secondary accounts, such as “secadmin,” “itadmin,” “support,” “backup,” “remoteadmin,” and “audit,” for persistence.

“All of the above events took place within seconds of each other, indicating the possibility of automated activity,” Arctic Wolf added.

Cybersecurity

The disclosure coincides with a post on Reddit in which multiple users reported seeing malicious SSO logins on fully-patched FortiOS devices, with one user stating the “Fortinet developer team has confirmed the vulnerability persists or is not fixed in version 7.4.10.”

The Hacker News has reached out to Fortinet for comment, and we will update the story if we hear back. In the interim, it’s advised to disable the “admin-forticloud-sso-login” setting.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Total
0
Shares
Share 0
Tweet 0
Share 0
Share 0
Share 0
Previous Post

Cisco Fixes Actively Exploited Zero-Day CVE-2026-20045 in Unified CM and Webex

January 21, 2026
Next Post

WAM Morocco

January 22, 2026
Related Posts
2 min

Google Issues Security Fix for Actively Exploited Chrome V8 Zero-Day Vulnerability

Google on Monday released security updates for its Chrome browser to address two security flaws, including one that has come under active exploitation in the wild. The vulnerability in question is CVE-2025-13223 (CVSS score: 8.8), a type confusion vulnerability in the V8 JavaScript and WebAssembly engine that could be exploited to achieve arbitrary code execution or program crashes. "Type
info@thehackernews.com (The Hacker News)
November 17, 2025
Read More
1 min

ThreatsDay Bulletin: GhostAd Drain, macOS Attacks, Proxy Botnets, Cloud Exploits, and 12+ Stories

The first ThreatsDay Bulletin of 2026 lands on a day that already feels symbolic — new year, new breaches, new tricks. If the past twelve months taught defenders anything, it’s that threat actors don’t pause for holidays or resolutions. They just evolve faster. This week’s round-up shows how subtle shifts in behavior, from code tweaks to job scams, are rewriting what “cybercrime” looks like in
info@thehackernews.com (The Hacker News)
January 1, 2026
Read More
3 min

CERT Polska Details Coordinated Cyber Attacks on 30+ Wind and Solar Farms

CERT Polska, the Polish computer emergency response team, revealed that coordinated cyber attacks targeted more than 30 wind and photovoltaic farms, a private company from the manufacturing sector, and a large combined heat and power plant (CHP) supplying heat to almost half a million customers in the country. The incident took place on December 29, 2025. The agency has attributed the attacks to
info@thehackernews.com (The Hacker News)
January 31, 2026
Read More