FortiGate Firewall Compromise via SSO Abuse

In January 2026, Arctic Wolf Labs identified an active malicious campaign targeting Fortinet FortiGate devices, where threat actors abused SSO-based administrative access to perform unauthorized firewall configuration changes. The activity involves automated logins, configuration exfiltration, and persistence mechanisms, and is likely linked to previously disclosed critical Fortinet SSO authentication bypass vulnerabilities.

Severity: High

Campaign Background And Timeline

• Arctic Wolf began observing this malicious activity on January 15, 2026, and publicly disclosed findings on January 21, 2026.
• The campaign represents a new cluster of automated attacks focused on FortiGate firewall appliances.
• While the exact initial access mechanism has not been fully confirmed, Arctic Wolf notes strong similarities to a December 2025 campaign that exploited Fortinet SSO functionality.

Initial Access And Exploitation

• Malicious actors authenticate via FortiCloud SSO, abusing previously disclosed authentication bypass vulnerabilities – CVE-2025-59718 and CVE-2025-59719.
• These flaws allow unauthenticated SSO authentication bypass using crafted SAML messages when FortiCloud SSO is enabled.

Observed Attacker Behavior

Once access is gained, the threat activity follows a rapid and automated sequence:

1. Successful SSO login to FortiGate devices using accounts such as cloud-init@mail.io
2. Immediate export and exfiltration of firewall configuration files via the GUI
3. Creation of additional administrative accounts for persistence, often within seconds of the initial login

The speed and consistency of these actions strongly suggest automation rather than manual intrusion.

Persistence And Impact

• Attackers create multiple generic administrator accounts (e.g., secadmin, itadmin, support, backup, remoteadmin, audit) to maintain long-term access.
• The exfiltrated configuration files may contain hashed credentials, which can later be cracked offline, increasing the risk of credential reuse and reinfection, even after patching.
• This activity poses a significant risk because FortiGate devices are perimeter security controls, and compromise can enable broader network access, VPN abuse, or follow-on attacks.

Recommendations

1. Temporarily disable FortiCloud SSO login feature to reduce exposure to SSO-based abuse until Fortinet provides updated, complete remediation guidance. To turn off FortiCloud login, go to System -> Settings -> Switch “Allow administrative login using FortiCloud SSO” to Off.
2. If any indicators of this activity are detected, assume firewall credentials are compromised due to configuration exfiltration and reset all administrative and VPN credentials, including service and generic accounts.
3. Ensure all FortiGate devices are running the latest FortiOS versions.
4. Limit access to FortiGate management interfaces (HTTPS/SSH/GUI) to trusted internal IP ranges or management networks only, and block internet-exposed administrative access wherever possible.
5. Review FortiGate admin account lists for unexpected or generic accounts (e.g., secadmin, support, backup, audit) and remove any unauthorized accounts immediately.
6. Assume compromise for any internet-exposed vulnerable Telnet service and initiate incident response.
7. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/1d07b33fb994f3ab7c3880fb012d4e044fe4a98f055dbc5e9da3b23c018713e9/iocs

Source:

• https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-configuration-changes-fortinet-fortigate-devices-via-sso-accounts/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.