Imagine waking up to find your firewall configurations have been silently altered by an automated attack—a chilling reality for some Fortinet FortiGate users. But here's where it gets even more alarming: Cybersecurity firm Arctic Wolf has uncovered a sophisticated campaign exploiting FortiCloud's Single Sign-On (SSO) feature to make unauthorized changes, leaving networks vulnerable. This isn't the first time FortiGate devices have been targeted; a similar wave of attacks in December 2025 leveraged vulnerabilities CVE-2025-59718 and CVE-2025-59719 to bypass SSO authentication. These flaws, affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, allow attackers to slip through defenses using crafted SAML messages when SSO is enabled.
And this is the part most people miss: The attackers aren't just altering configurations—they're creating backdoor accounts like 'cloud-init@mail.io' and secondary accounts such as 'secadmin' and 'remoteadmin' to ensure long-term access. These changes are executed with alarming speed, suggesting automation. Arctic Wolf identified four IP addresses linked to the malicious activity:
- 104.28.244[.]115
- 104.28.212[.]114
- 217.119.139[.]50
- 37.1.209[.]19
These IPs were used to export firewall configurations via the GUI interface, raising questions about the extent of the breach. Here’s the controversial part: Despite Fortinet releasing patches, Reddit users claim the vulnerability persists in version 7.4.10, sparking debates about the effectiveness of these fixes. Fortinet has yet to comment, but in the meantime, experts advise disabling the 'admin-forticloud-sso-login' setting as a precautionary measure.
This isn't just a technical issue—it's a wake-up call for organizations relying on FortiGate devices. Are current security measures enough to combat evolving threats? Or is this the tip of the iceberg? Let us know your thoughts in the comments below. For more insights like this, follow us on Google News, Twitter, and LinkedIn to stay ahead of the curve.
