Arctic Wolf has observed a new cluster of automated malicious activity involving unauthorized firewall configuration changes on FortiGate devices.

ArcticWolf's platform is a central hub for cybersecurity professionals, offering insights into managed detection and response (MDR), threat intelligence, and security operations. Through articles, reports, and webinars, ArcticWolf offers insights into detecting and responding to cybersecurity threats effectively. Security analysts can learn about threat hunting, incident response strategies, and security best practices to protect organizations from cyberattacks.

Arctic Wolf

Arctic Wolf detected a new automated attack campaign targeting Fortinet FortiGate devices starting January 15, 2026. Attackers exploited SSO accounts to make unauthorized firewall configuration changes, create persistence accounts, grant VPN access, and exfiltrate configurations. The activity resembles a previous December 2025 campaign involving SSO authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719). Malicious logins originated from specific hosting providers, targeted the cloud-init@mail.io account, and executed within seconds suggesting automation. Recommendations include monitoring Fortinet updates, resetting credentials if affected, restricting management interface access, and potentially disabling FortiCloud SSO as a workaround.

Arctic Wolf Observes Malicious Configuration Changes On Fortinet FortiGate Devices via SSO Accounts