Nearly 11,000 Fortinet Firewalls at Risk as SSO Exploit Escalates

A newly observed wave of automated cyberattacks is actively targeting Fortinet FortiGate firewalls by exploiting previously disclosed vulnerabilities in the FortiCloud Single Sign-On (SSO) feature.

According to reports from Arctic Wolf, the campaign began around January 15, 2026, and closely mirrors a similar attack pattern documented in December 2025. Despite patches issued by Fortinet, attackers are successfully performing unauthorized logins and altering firewall configurations.

The threat actors are leveraging crafted SAML messages to bypass authentication, leading to admin-level access where they create persistent accounts and exfiltrate configuration files.

Evidence from multiple security sources points to automated activity and indicates the flaws may not be fully resolved in the latest firmware versions.

Why It Matters: Fortinet firewalls are widely deployed in enterprise and government environments. The exploitation of these SSO vulnerabilities enables full administrative access and compromises the integrity of network defenses by allowing the theft of sensitive configurations. With over 11,000 exposed Fortinet devices online, the scale of risk is significant, and current patches may not be sufficient.

• SSO Authentication Bypass via CVE-2025-59718 and CVE-2025-59719: Fortinet devices are being accessed through vulnerabilities that allow attackers to bypass login requirements when FortiCloud SSO is enabled. By crafting specific SAML messages, malicious actors can impersonate authorized users and gain administrative control. These flaws were disclosed in December 2025 and thought to be addressed with a patch, but recent incidents suggest that the vulnerabilities remain exploitable on newer firmware versions, including FortiOS 7.4.10. The attacks began in mid-January 2026 and are consistent with tactics used in previous campaigns, raising concerns about the effectiveness of the initial fix.

• Automated Attacks with Rogue Admin Account Creation: Once inside the firewall system, attackers immediately create new administrative accounts with names such as “secadmin,” “support,” “remoteadmin,” and others. These accounts allow continued access without needing to re-exploit the original flaw. The speed of the process indicates the use of scripts or tools to automate the intrusion. These actions suggest that attackers have rehearsed the sequence and optimized it for minimal detection time during execution.

• Indicators of Compromise Identified: Arctic Wolf has published several technical indicators connected to this activity. The main login account used by attackers is “cloud-init@mail.io,” and several IP addresses have been identified as sources of these unauthorized logins, including 104.28.244[.]115 and 217.119.139[.]50. After gaining access, the attackers use the GUI to download configuration files and perform administrative actions. These events are logged with standard system messages that show the specific interface and action taken. Matching these entries against internal firewall logs can help determine whether a device has been affected.

• Workarounds and Mitigation Steps Available: Organizations using FortiGate devices can reduce exposure by disabling the FortiCloud SSO login feature until a more complete fix is provided. This setting can be turned off in the system settings panel or by issuing a short command sequence in the device’s CLI. Admins are also advised to reset all credentials on affected systems, since configuration files may contain hashed passwords that could be cracked offline. Restricting access to the administrative interface and limiting it to trusted internal IPs can help reduce the chance of similar unauthorized actions.

• Patch Effectiveness Uncertain as New Updates Are Awaited: Despite the rollout of FortiOS 7.4.9 and 7.4.10 in December, recent attack logs confirm that systems running these versions have still been compromised. Fortinet has not provided full public confirmation on whether the flaws are completely fixed, although new firmware releases (7.4.11, 7.6.6, and 8.0.0) are expected soon. Until then, federal cybersecurity agencies, including CISA, have issued guidance that requires prompt action. Admins should follow official advisories and implement any recommended temporary measures while awaiting updated patches from Fortinet.

Go Deeper -> Arctic Wolf Observes Malicious Configuration Changes On Fortinet FortiGate Devices via SSO Accounts – Arctic Wolf

Hackers breach Fortinet FortiGate devices, steal firewall configs – BleepingComputer

Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations – The Hacker News