By rssfeeds-admin 
This campaign echoes a December 2025 incident involving malicious SSO logins shortly after Fortinet disclosed critical vulnerabilities CVE-2025-59718 and CVE-2025-59719.
Arctic Wolf notes that initial access methods remain unconfirmed, but the tactics mirror prior SSO abuse. Detections are active, alerting customers to suspicious activity. Fortinet has yet to confirm if existing patches fully mitigate this wave.
In early December 2025, Fortinet issued FG-IR-25-647, detailing two critical authentication bypass flaws. Attackers craft malicious SAML messages to bypass SSO login when FortiCloud SSO is enabled.
| CVE ID | Description | Severity | Affected Products |
|---|---|---|---|
| CVE-2025-59718 | Unauth SAML SSO bypass | Critical | FortiOS, FortiWeb, FortiProxy |
| CVE-2025-59719 | Unauth SAML SSO bypass | Critical | FortiOS, FortiWeb, FortiSwitchManager |
Post-disclosure, Arctic Wolf observed SSO logins on admin accounts, followed by config dumps and persistence. It’s unclear if the January attacks leverage the same flaws or patched variants.
Attack Chain
Arctic Wolf’s telemetry indicates that the attacks are highly automated, with multiple stages of the kill chain occurring within seconds of one another.
- Initial Access: Malicious SSO logins are initiated from specific hosting provider IP addresses. The primary account used for these intrusions is cloud-init@mail.io.
- Exfiltration: Immediately following the login, the attacker triggers a download of the system configuration file via the GUI interface to the same source IP.
- Persistence: To maintain access, the attackers create secondary administrative accounts. Common usernames observed include secadmin, itadmin, and remoteadmin.
Logs indicate that the time delta between the login, the configuration export, and the account creation is negligible, confirming the use of automated scripts.
Indicators of Compromise
Monitor these IOCs for signs of compromise:
| IOC | Type | Description |
|---|---|---|
| cloud-init@mail[.]io | Malicious account | Used for logins and config exfiltration |
| cloud-noc@mail[.]io | Malicious account | Used for logins and config exfiltration |
| 104.28.244[.]115 | Source IP | Observed in SSO logins and downloads |
| 104.28.212[.]114 | Source IP | Observed in intrusions |
| 217.119.139[.]50 | Source IP | Observed in intrusions |
| 37.1.209[.]19 | Source IP | Observed in intrusions |
| secadmin | Persistence acct | Created post-access |
| itadmin | Persistence acct | Created post-access |
| support | Persistence acct | Created post-access |
| backup | Persistence acct | Created post-access |
| remoteadmin | Persistence acct | Created post-access |
| audit | Persistence acct | Created post-access |
Mitigations
Fortinet users should monitor official advisories and apply patches promptly (upgrade guide). Reset all credentials if activity matches—hashed creds can be cracked offline.
Restrict management interfaces to trusted internal networks, a best practice against mass scans. As a workaround, disable FortiCloud SSO:
textconfig system global
set admin-forticloud-sso-login disable
end
Organizations should hunt for these IOCs and review FortiGate logs immediately.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post FortiGate Firewalls Hacked in Automated Attacks to Steal Configuration Data appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.