Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations

Automated FortiGate Attacks Exploit FortiCloud SSO

Arctic Wolf has identified a new wave of automated attacks targeting Fortinet FortiGate devices, beginning January 15, 2026. These attacks exploit vulnerabilities (CVE-2025-59718 and CVE-2025-59719) in FortiCloud Single Sign-On (SSO) to gain unauthorized access and modify firewall settings.

Why This Matters

Ideal network security models assume controlled access and integrity of firewall configurations, but vulnerabilities like these demonstrate a critical gap. Successful exploitation allows attackers to establish persistence, grant VPN access, and steal sensitive firewall configurations, potentially compromising entire network infrastructures. The scale of impacted devices and potential damage from a widespread breach is significant, representing a substantial financial and reputational risk.

Key Insights

• SAML Bypass: Exploitation relies on unauthenticated bypass of SSO login authentication via crafted SAML messages.
• Automated Activity: Events occur within seconds of each other, indicating the use of automated tools for rapid exploitation.
• Account Creation: Attackers create generic accounts (e.g., “secadmin,” “itadmin”) for persistence post-exploitation.

Practical Applications

• Use Case: Organizations utilizing FortiGate with FortiCloud SSO are at risk of unauthorized configuration changes and data exfiltration.
• Pitfall: Relying solely on patching without disabling the vulnerable “admin-forticloud-sso-login” setting leaves systems exposed.

References:

• https://thehackernews.com/2026/01/automated-fortigate-attacks-exploit.html