Arctic Wolf warns of a new cluster of automated malicious activity beginning January 15, 2026, that involves unauthorized configuration changes on Fortinet FortiGate devices. Threat actors exploited CVE-2025-59718 and CVE-2025-59719 to bypass FortiCloud SSO, create persistent admin accounts, export firewall configurations, and grant VPN access; operators are advised to disable admin-forticloud-sso-login. #FortiGate #CVE-2025-59718
Keypoints
- Activity began on January 15, 2026, and mirrors a December 2025 campaign targeting FortiGate SSO.
- Attackers exploited CVE-2025-59718 and CVE-2025-59719 to bypass SSO authentication via crafted SAML messages.
- Malicious logins from multiple IPs used the account [email protected] to export firewall configurations via the GUI.
- Secondary accounts such as secadmin, itadmin, support, backup, remoteadmin, and audit were created for persistence.
- All actions occurred within seconds, indicating automation; operators should disable admin-forticloud-sso-login and review logs for the listed IPs.
Read More: https://thehackernews.com/2026/01/automated-fortigate-attacks-exploit.html