By rssfeeds-admin 
Threat actors are exploiting previously disclosed SSO vulnerabilities to gain unauthorized access, create persistent backdoor accounts, and exfiltrate sensitive firewall configurations containing credentials and network topology details.
Attack Overview
The campaign involves attackers establishing unauthorized administrative accounts through FortiCloud SSO bypass, then automatically extracting firewall configurations to external servers.
Malicious logins target generic service accounts like cloud-init@mail.io, followed by rapid configuration downloads and persistence account creation, all occurring within seconds, indicating a fully automated exploitation infrastructure.
This activity mirrors a December 2025 campaign documented by Arctic Wolf, suggesting threat actors continue leveraging the same CVE vulnerabilities against unpatched or improperly defended deployments.
Vulnerabilities Under Exploitation
Fortinet released advisories in early December for two critical authentication bypass flaws:
- CVE-2025-59718: SAML authentication bypass allowing unauthenticated SSO login
- CVE-2025-59719: Related authentication bypass vulnerability
Both vulnerabilities affect FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager when FortiCloud SSO is enabled.
Arctic Wolf confirmed that patches issued for these CVEs may not fully address the current threat activity, suggesting attackers have adapted their techniques or discovered additional access vectors.
Attackers authenticate via malicious SSO logins originating from specific hosting providers, then execute automated commands to download entire firewall configurations through the GUI interface.
Secondary persistence accounts (secadmin, itadmin, support, backup, remoteadmin, audit) are created immediately after initial compromise for long-term access.
Log analysis reveals configuration exfiltration occurs to the same source IP addresses used for authentication, with all activities executing within seconds, demonstrating sophisticated automation and reconnaissance capabilities.
Organizations managing FortiGate deployments should:
- Patch immediately – Apply all available Fortinet security updates, particularly addressing CVE-2025-59718 and CVE-2025-59719
- Reset credentials – Change all firewall administrative passwords and review audit logs for unauthorized account creation
- Restrict management access – Limit firewall GUI and SSH access to trusted internal networks only; disable public internet exposure
- Disable SSO temporarily – Turn off FortiCloud SSO via System → Settings or CLI command
set admin-forticloud-sso-login disableuntil full remediation is confirmed - Monitor for IOCs – Search logs for malicious accounts and source IPs listed below; investigate any configuration downloads to external addresses
| IOC | Type | Description |
|---|---|---|
| cloud-init@mail.io | Account | Malicious account exfiltrating configs |
| cloud-noc@mail.io | Account | Malicious account exfiltrating configs |
| 104.28.244[.]115 | IP Address | Source of intrusions |
| 104.28.212[.]114 | IP Address | Source of intrusions |
| 217.119.139[.]50 | IP Address | Source of intrusions |
| 37.1.209[.]19 | IP Address | Source of intrusions |
| secadmin, itadmin, support, backup, remoteadmin, audit | Accounts | Persistence accounts created post-compromise |
Arctic Wolf continues monitoring this activity and will provide updates as additional technical details emerge.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post FortiGate Firewalls Targeted in Automated Attacks to Harvest Configuration Data appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.