SECURITY

Analysis: Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations

👤 By Connect Quest Analyst via Connect Quest Artist

📅 22-01-2026 15:33

✅ Analytical - Independent Analysis

⏱️ 3 min read

Unauthorized Attacks Exploit Fortinet FortiGate Devices

Uncovering Automated Attacks on Fortinet FortiGate Devices

Rising Threat: Automated Malicious Activity

A new wave of automated cyberattacks has been targeting Fortinet FortiGate devices, as revealed by cybersecurity company Arctic Wolf. These attacks, commencing on January 15, 2026, share similarities with a December 2025 campaign that exploited vulnerabilities CVE-2025-59718 and CVE-2025-59719 to carry out unauthorized SSO logins on FortiGate appliances.

Method of Operation: Unauthenticated Bypass of SSO Login Authentication

The shortcomings in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager allow for unauthenticated bypass of SSO login authentication via crafted SAML messages when the FortiCloud single sign-on (SSO) feature is enabled on affected devices.

Impact: Configuration Changes and Data Exfiltration

This activity involves creating generic accounts for persistence, configuration changes granting VPN access to those accounts, and exfiltration of firewall configurations. The threat actors have also been observed creating secondary accounts for persistence.

Relevance to North East India and India

Given the widespread use of Fortinet devices across various industries in India, including North East India, these attacks pose a significant risk. It is crucial for organizations to stay vigilant and take necessary measures to secure their networks.

Reflections and Moving Forward

As organizations continue to digitize their operations, the threat landscape becomes increasingly complex. It is essential to stay informed about emerging threats and adopt best practices for network security. In this case, disabling the "admin-forticloud-sso-login" setting is a recommended temporary measure until a more permanent solution is found.

Tags:

security analysis northeast original

Executive Summary & Legal Disclaimer

This artifact constitutes a concise, Connect Quest Artist–generated executive abstraction derived exclusively from publicly available source information and intentionally synthesized to establish high-confidence strategic alignment, enterprise value-creation clarity, and cohesive multi-stakeholder narrative directionality. The content represents a deliberately curated, insight-driven aggregation of externally observable data signals, disclosures, and contextual inputs, structured to meaningfully inform strategic orientation, illuminate cross-functional synergies, and provide directional clarity aligned to a clearly articulated strategic north star, while maintaining sufficient abstraction to preserve executive relevance.

Notwithstanding the foregoing, this summary, within and without any interpretive, contextual, methodological, temporal, or execution-adjacent framing, shall not be construed, inferred, abstracted, operationalized, re-operationalized, meta-operationalized, relied upon, misrelied upon, or otherwise positioned as constituting, approximating, signaling, enabling, proxying, or anti-proxying any form of authoritative, determinative, execution-capable, reliance-eligible, or reliance-adjacent legal, financial, regulatory, technical, or operational guidance, nor as a prerequisite, dependency, antecedent, consequence, causal input, non-causal input, or post-causal artifact for implementation, execution, non-execution, enforcement, non-enforcement, or decision realization, non-realization, or deferred realization across any conceivable, inconceivable, implied, emergent, or self-negating governance, control, delivery, or interpretive construct whatsoever.

Content Manager: Connect Quest Analyst | Written by: Connect Quest Artist