In January 2026, cybersecurity firm Arctic Wolf identified a cluster of automated malicious activities targeting Fortinet FortiGate devices by exploiting vulnerabilities in the FortiCloud Single Sign-On (SSO) feature. The attackers exploit CVE-2025-59718 and CVE-2025-59719, which allow unauthenticated bypass of SSO login authentication via crafted SAML messages when FortiCloud SSO is enabled. This vulnerability affects multiple Fortinet products, including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. The attackers perform unauthorized logins to the admin account using malicious SSO logins from various IP addresses, subsequently exporting firewall configuration files via the GUI interface to these IPs. They create multiple generic accounts such as "secadmin," "itadmin," and "remoteadmin" to maintain persistence and modify firewall configurations to grant VPN access to these accounts. The rapid sequence of these actions suggests automation. The campaign is reminiscent of a December 2025 attack but appears more automated and widespread. Despite patches, users report the vulnerability may persist in FortiOS 7.4.10, indicating incomplete remediation. The attack compromises firewall integrity, enabling attackers to manipulate security policies, exfiltrate sensitive configurations, and maintain long-term access. Fortinet recommends disabling the "admin-forticloud-sso-login" setting as an interim mitigation. The threat underscores the risks of SSO vulnerabilities in critical network infrastructure and the importance of vigilant patch management and configuration controls.

European organizations relying on Fortinet FortiGate and related products with FortiCloud SSO enabled face significant risks. Unauthorized access to firewall admin accounts allows attackers to alter firewall rules, potentially disabling security controls or creating backdoors for further intrusion. The exfiltration of firewall configurations can reveal sensitive network topology and security posture, aiding further attacks or espionage. Persistence through created generic accounts increases the difficulty of detection and remediation. VPN access granted to malicious accounts can facilitate lateral movement into corporate networks, risking data breaches and operational disruption. Given Fortinet's widespread use in Europe across sectors such as finance, government, healthcare, and critical infrastructure, the threat could lead to large-scale compromise of network defenses, data loss, and regulatory non-compliance under GDPR. The automation and speed of the attack increase the likelihood of rapid spread before detection. Organizations may face operational downtime, reputational damage, and financial losses due to remediation costs and potential regulatory fines.

1. Immediately disable the "admin-forticloud-sso-login" setting on all Fortinet devices where FortiCloud SSO is enabled to prevent exploitation. 2. Conduct a thorough audit of all firewall admin accounts and remove any unauthorized or suspicious accounts such as "secadmin," "itadmin," "support," "backup," "remoteadmin," and "audit." 3. Review and restore firewall configurations from known good backups to eliminate unauthorized changes. 4. Monitor firewall logs for unusual SSO login attempts, especially from the identified IP addresses (104.28.244.115, 104.28.212.114, 217.119.139.50, 37.1.209.19) and other anomalous sources. 5. Apply the latest Fortinet patches and firmware updates as soon as they are confirmed to fully address CVE-2025-59718 and CVE-2025-59719, verifying patch effectiveness through testing. 6. Implement network segmentation and strict access controls to limit VPN and administrative access. 7. Employ multi-factor authentication (MFA) for all administrative access to Fortinet devices to reduce risk of credential misuse. 8. Use intrusion detection and prevention systems (IDPS) to detect abnormal configuration changes or data exfiltration attempts. 9. Educate security teams on this threat to ensure rapid incident response and forensic analysis if compromise is suspected. 10. Engage with Fortinet support and threat intelligence sources for updates and guidance.