Automated Attacks Target FortiGate Devices via FortiCloud SSO Vulnerabilities
#Vulnerabilities

Automated Attacks Target FortiGate Devices via FortiCloud SSO Vulnerabilities

Security Reporter
2 min read

New automated attacks exploit unpatched FortiCloud SSO vulnerabilities to bypass authentication and alter firewall configurations, creating backdoor accounts.

Featured image

Security researchers at Arctic Wolf have identified a new wave of automated attacks targeting Fortinet FortiGate devices by exploiting vulnerabilities in the FortiCloud single sign-on (SSO) system. This coordinated campaign, active since January 15, 2026, allows attackers to bypass authentication and modify firewall configurations - a critical threat to network security.

The Attack Pattern

Attackers are exploiting two known vulnerabilities (CVE-2025-59718 and CVE-2025-59719) that enable unauthenticated SSO bypass through crafted SAML messages. When FortiCloud SSO is enabled, these flaws allow attackers to:

  1. Authenticate as admin via malicious SSO logins
  2. Export firewall configuration files
  3. Create persistent backdoor accounts

"This activity involved the creation of generic accounts intended for persistence, configuration changes granting VPN access, and exfiltration of firewall configurations," Arctic Wolf's threat intelligence team reported. The attacks originate from four IP addresses:

  • 104.28.244[.]115
  • 104.28.212[.]114
  • 217.119.139[.]50
  • 37.1.209[.]19

Automated Threat Patterns

The speed of these intrusions suggests automation, with all malicious actions occurring within seconds. Attackers consistently create secondary administrator accounts using names like:

  • secadmin
  • itadmin
  • support
  • remoteadmin

These accounts provide persistent access even if initial entry points are closed.

Patch Status Concerns

Despite Fortinet's previous patches, multiple users on Reddit report fully-patched FortiOS 7.4.10 systems remain vulnerable. One user stated: "Fortinet developer team has confirmed the vulnerability persists." The continued exploitation suggests either incomplete patches or new attack vectors.

Mitigation Steps

  1. Immediately disable the admin-forticloud-sso-login setting
  2. Audit all administrative accounts for unfamiliar entries
  3. Monitor logs for configuration export events
  4. Block traffic from the identified malicious IPs
  5. Implement multi-factor authentication for all admin accounts

Fortinet hasn't yet issued an official statement regarding these new attacks. Organizations using FortiOS, FortiWeb, FortiProxy, or FortiSwitchManager should treat this as an active threat requiring immediate action.

#FortiGate#FortiCloud#SSO#CVE#backdoor

Comments

Loading comments...
Back to Home