Threat actors are actively exploiting Fortinet FortiGate firewalls in a new cluster of automated attacks that target devices exposed to the internet. These attacks aim to gain unauthorized access to firewall systems, create rogue administrative accounts, and steal sensitive configuration data.
- Activity started around January 15, 2026, with malicious actors observed logging into FortiGate devices and exporting their configurations within seconds — indicating highly automated tooling.
- The attacks involve creating generic accounts (e.g., “secadmin”, “itadmin”, “remoteadmin”) for persistence and enabling VPN access through those accounts.
How They’re Getting In
Security researchers believe the attacks rely on abusing Fortinet’s FortiCloud Single Sign-On (SSO) feature and known authentication bypass vulnerabilities in FortiOS and related products:
- The attackers have been seen leveraging flaws like CVE-2025-59718 and CVE-2025-59719, which allow attackers to bypass standard authentication when the FortiCloud SSO feature is enabled.
- Successful SSO logins with malicious accounts let attackers gain admin-level control, manipulate configurations, and download config files including sensitive settings.
Reports from administrators indicate that even fully patched FortiOS devices can be showing malicious SSO activity, suggesting incomplete fixes or persistent vulnerabilities.
What’s Being Stolen
Once attackers gain access:
- They export firewall configuration files, which can include routing rules, VPN settings, and in some cases hashed credentials and other sensitive data.
- This stolen information can be used for deeper network intrusion, credential cracking, lateral movement, or further attacks on corporate systems.
IOCs
| IOC | Type | Description |
|---|---|---|
| cloud-init@mail[.]io | Malicious account | Used for logins and config exfiltration |
| cloud-noc@mail[.]io | Malicious account | Used for logins and config exfiltration |
| 104.28.244[.]115 | Source IP | Observed in SSO logins and downloads |
| 104.28.212[.]114 | Source IP | Observed in intrusions |
| 217.119.139[.]50 | Source IP | Observed in intrusions |
| 37.1.209[.]19 | Source IP | Observed in intrusions |
| secadmin | Persistence acct | Created post-access |
| itadmin | Persistence acct | Created post-access |
| support | Persistence acct | Created post-access |
| backup | Persistence acct | Created post-access |
| remoteadmin | Persistence acct | Created post-access |
| audit | Persistence acct | Created post-access |
What Security Teams Are Seeing
Industry reporting and alerts highlight:
- The attacks happen very quickly, often automating account creation, configuration change, and data exfiltration in seconds.
- Activity resembles earlier campaigns documented in late 2025 that exploited similar FortiGate SSO bypass bugs.
- Security firms like Arctic Wolf have detections in place and are actively tracking this cluster of threats.
What This Means
This isn’t a one-off incident but part of a broader trend in automated, sophisticated attacks on widely deployed network devices, where attackers rapidly weaponize known vulnerabilities for maximum access and data theft.
Recommended Mitigations
Although Fortinet has issued patches for some vulnerabilities, researchers recommend:
- Ensure all FortiGate devices are fully updated with the latest FortiOS/FortiCloud SSO fixes.
- Disable FortiCloud SSO login (the feature being targeted) where not required.
- Audit all accounts and credentials — especially newly created or generic admin accounts.
- Monitor logs for unusual SSO activity and unauthorized configuration changes.
If you manage FortiGate firewalls, it’s critical to verify that your devices are patched, access controls are hardened, and detection tools are tuned to alert on suspicious activity.
