A critical alert for FortiGate users: a new automated attack is exploiting FortiCloud's SSO feature, and it's time to take action!
Arctic Wolf, a trusted cybersecurity firm, has uncovered a cluster of malicious activities targeting Fortinet's FortiGate devices. Starting on January 15, 2026, these attacks involve unauthorized changes to firewall configurations, putting network security at risk.
But here's where it gets controversial: this isn't the first time FortiGate has faced such threats. A similar campaign in December 2025 exploited vulnerabilities (CVE-2025-59718 and CVE-2025-59719) to bypass SSO login authentication, affecting various Fortinet products like FortiOS, FortiWeb, and more.
The current attack leverages the same vulnerabilities, allowing threat actors to create generic accounts, grant VPN access, and exfiltrate firewall configurations. Specifically, malicious SSO logins are being made from four unique IP addresses to a suspicious account, "cloud-init@mail.io."
And this is the part most people miss: the speed at which these events occur suggests automation. Arctic Wolf reports that all the above activities happened within seconds, indicating a well-coordinated and potentially automated attack.
Furthermore, threat actors are creating secondary accounts like "secadmin" and "itadmin" for persistence, ensuring their access remains uninterrupted.
The disclosure of this attack coincides with user reports on Reddit, where multiple individuals have witnessed malicious SSO logins on fully-patched FortiOS devices. One user even claims that the Fortinet developer team acknowledges the vulnerability's persistence in version 7.4.10.
To mitigate this threat, it's recommended to disable the "admin-forticloud-sso-login" setting.
Have you experienced any suspicious activity on your FortiGate devices? Share your thoughts and experiences in the comments below. We'd love to hear from the community and discuss potential solutions to keep our networks secure.
Stay vigilant, and don't forget to follow us on Google News, Twitter, and LinkedIn for more exclusive cybersecurity updates!
