FortiGate Firewalls Hacked in Automated Attacks to Steal Configuration Data

A new cluster of automated malicious activity targeting FortiGate firewall devices. Beginning January 15, 2026, threat actors have been observed executing unauthorized configuration changes, establishing persistence through generic accounts, and exfiltrating sensitive firewall configuration data.

This campaign echoes a December 2025 incident involving malicious SSO logins shortly after Fortinet disclosed critical vulnerabilities CVE-2025-59718 and CVE-2025-59719.

Arctic Wolf notes that initial access methods remain unconfirmed, but the tactics mirror prior SSO abuse. Detections are active, alerting customers to suspicious activity. Fortinet has yet to confirm if existing patches fully mitigate this wave.

In early December 2025, Fortinet issued FG-IR-25-647, detailing two critical authentication bypass flaws. Attackers craft malicious SAML messages to bypass SSO login when FortiCloud SSO is enabled.

CVE ID	Description	Severity	Affected Products
CVE-2025-59718	Unauth SAML SSO bypass	Critical	FortiOS, FortiWeb, FortiProxy
CVE-2025-59719	Unauth SAML SSO bypass	Critical	FortiOS, FortiWeb, FortiSwitchManager

Post-disclosure, Arctic Wolf observed SSO logins on admin accounts, followed by config dumps and persistence. It’s unclear if the January attacks leverage the same flaws or patched variants.

Attack Chain

Arctic Wolf’s telemetry indicates that the attacks are highly automated, with multiple stages of the kill chain occurring within seconds of one another.

1. Initial Access: Malicious SSO logins are initiated from specific hosting provider IP addresses. The primary account used for these intrusions is cloud-init@mail.io.
2. Exfiltration: Immediately following the login, the attacker triggers a download of the system configuration file via the GUI interface to the same source IP.
3. Persistence: To maintain access, the attackers create secondary administrative accounts. Common usernames observed include secadmin, itadmin, and remoteadmin.

Logs indicate that the time delta between the login, the configuration export, and the account creation is negligible, confirming the use of automated scripts.

Indicators of Compromise

Monitor these IOCs for signs of compromise:

IOC	Type	Description
cloud-init@mail[.]io	Malicious account	Used for logins and config exfiltration
cloud-noc@mail[.]io	Malicious account	Used for logins and config exfiltration
104.28.244[.]115	Source IP	Observed in SSO logins and downloads
104.28.212[.]114	Source IP	Observed in intrusions
217.119.139[.]50	Source IP	Observed in intrusions
37.1.209[.]19	Source IP	Observed in intrusions
secadmin	Persistence acct	Created post-access
itadmin	Persistence acct	Created post-access
support	Persistence acct	Created post-access
backup	Persistence acct	Created post-access
remoteadmin	Persistence acct	Created post-access
audit	Persistence acct	Created post-access

Mitigations

Fortinet users should monitor official advisories and apply patches promptly (upgrade guide). Reset all credentials if activity matches—hashed creds can be cracked offline.

Restrict management interfaces to trusted internal networks, a best practice against mass scans. As a workaround, disable FortiCloud SSO:

textconfig system global
set admin-forticloud-sso-login disable
end

Organizations should hunt for these IOCs and review FortiGate logs immediately.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post FortiGate Firewalls Hacked in Automated Attacks to Steal Configuration Data appeared first on Cyber Security News.