Summary
A newly identified cluster of automated malicious activity is targeting Fortinet FortiGate appliances by exploiting an unauthenticated Single Sign-On (SSO) bypass, according to new intelligence from Arctic Wolf. Commencing in January 2026, threat actors have successfully compromised devices even after the application of patches for CVE-2025-59718 and CVE-2025-59719, indicating a new attack path or incomplete remediation. The automated campaign involves rapid account creation, unauthorized VPN configuration changes, and the exfiltration of sensitive firewall configuration files. As of 22 January 2026, Fortinet has officially confirmed that it’s working to completely mitigate CVE-2025-59718 and CVE-2025-59719 following multiple reports pf exploitation on multiple configurations.
Sector Impact
Retail and hospitality organizations relying on FortiGate devices for secure point-of-sale (POS) connectivity and guest network segmentation face immediate risks of network-wide compromise and data exfiltration. As such, RH-ISAC Core Members should review the intelligence in this alert and ingest the included Indicators of Compromise, provided by Arctic Wolf, included below.
Analysis
The exploitation cycle leverages crafted SAML messages to bypass authentication protocols when FortiCloud SSO is enabled, granting attackers immediate administrative control. This automated sequence executes within seconds, beginning with a malicious login, often using the account cloud-init@mail[.]io, followed by the export of the device’s configuration via the GUI to remote attacker-controlled IP addresses. To maintain long-term access, the actors programmatically create a suite of secondary persistent accounts with names like “secadmin,” “itadmin,” and “backup,” and modify firewall policies to grant these accounts persistent VPN access.
Recent telemetry confirms that the vulnerability remains viable on versions such as 7.4.10, suggesting the previous patches are insufficient against the current SAML manipulation techniques. The exfiltrated configuration files provide the attackers with clear visibility into internal network topologies, pre-shared keys, and access control lists, facilitating deeper lateral movement. While current observations focus on the FortiCloud SSO implementation, the underlying flaw could potentially extend to all SAML SSO configurations on impacted FortiOS and FortiWeb systems. RH-ISAC Core Members are encouraged for the immediate application of local-in policies to restrict administrative access from the internet and the total deactivation of the “admin-forticloud-sso-login” setting.
Indicators of Compromise
Artic Wolf observed four different IP and two email addresses associated with the current Fortinet campaign, found below:
- 04.28.244[.]115
- 104.28.212[.]114
- 217.119.139[.]50
- 37.1.209[.]19
- cloud-init@mail[.]io
- cloud-noc@mail[.]io
