Starting on January 15, 2026, Arctic Wolf began observing a new cluster of automated malicious activity involving unauthorized firewall configuration changes on FortiGate devices. This activity involved the creation of generic accounts intended for persistence, configuration changes granting VPN access to those accounts, as well as exfiltration of firewall configurations. This is a developing situation, and we will share more technical details of this threat with the public as more information becomes available.
While the parameters of initial access details have not been fully confirmed, the current campaign bears similarity to a campaign described by Arctic Wolf in December 2025. In the December security bulletin, we provided details of SSO login activity for administrator accounts, followed by configuration changes and exfiltration on affected firewall devices.
Note: Arctic Wolf has detections in place to identify activities tied to this campaign, and will continue to alert customers if additional instances are identified.
Previously Disclosed SSO Vulnerabilities
In early December, Fortinet released an advisory for two critical authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719). Shortly after disclosure, Arctic Wolf began observing intrusions involving malicious SSO logins on FortiGate appliances.
The vulnerabilities allow for unauthenticated bypass of SSO login authentication via crafted SAML messages when the FortiCloud SSO feature is enabled on affected Devices. Several product lines were reported to be affected, including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.
It is not known at this time whether the latest threat activity observed is fully covered by the patch that initially addressed CVE-2025-59718 and CVE-2025-59719.
Technical Details
In recently observed intrusions, malicious SSO logins originated from a handful of hosting providers, listed in the Indicators of Compromise section below.
Malicious logins were typically against the cloud-init@mail.io account, as shown in the example log line below:
date=2026-01-19 time=REDACTED devname=”REDACTED” devid=”REDACTED” eventtime=REDACTED tz=”-0500″ logid=”0100032001″ type=”event” subtype=”system” level=”information” vd=”root” logdesc=”Admin login successful” sn=”REDACTED” user=”cloud-init@mail.io” ui=”sso(104.28.244.115)” method=”sso” srcip=104.28.244.115 dstip=REDACTED action=”login” status=”success” reason=”none” profile=”super_admin” msg=”Administrator cloud-init@mail.io logged in successfully from sso(104.28.244.115)”
Following malicious SSO logins, configurations were exported to the same IP addresses via the GUI interface. Follow-up activities on compromised firewall accounts occurred within seconds of each other, indicating the potential of automated activity.
date=2026-01-19 time=REDACTED devname=”REDACTED” devid=”REDACTED” eventtime=REDACTED tz=”-0500″ logid=”0100032095″ type=”event” subtype=”system” level=”warning” vd=”root” logdesc=”Admin performed an action from GUI” user=”cloud-init@mail.io” ui=”GUI(104.28.244.115)” action=”download” status=”success” msg=”System config file has been downloaded by user cloud-init@mail.io via GUI(104.28.244.115)”
Typically, a secondary account is created for persistence:
date=2026-01-19 time=REDACTED devname=”REDACTED” devid=”REDACTED” eventtime=REDACTED tz=”-0500″ logid=”0100044547″ type=”event” subtype=”system” level=”information” vd=”root” logdesc=”Object attribute configured” user=”cloud-init@mail.io” ui=”GUI(104.28.244.115)” action=”Add” cfgtid=REDACTED cfgpath=”system.admin” cfgobj=”secadmin” cfgattr=”old-password[]accprofile[super_admin]vdom[root]password[]” msg=”Add system.admin secadmin”
All of the above events took place within seconds of each other, indicating the possibility of automated activity.
Indicators of Compromise
| IOC | Type |
| cloud-init@mail.io | Malicious account observed logging into firewall devices, downloading/exfiltrating a firewall config file |
| cloud-noc@mail.io | Malicious account observed logging into firewall devices, downloading/exfiltrating a firewall config file |
| 104.28.244[.]115 | Source IP observed in intrusions |
| 104.28.212[.]114 | Source IP observed in intrusions |
| 217.119.139[.]50 | Source IP observed in intrusions |
| 37.1.209[.]19 | Source IP observed in intrusions |
| secadmin | Account created following initial access |
| itadmin | Account created following initial access |
| support | Account created following initial access |
| backup | Account created following initial access |
| remoteadmin | Account created following initial access |
| audit | Account created following initial access |
Recommendations
Monitor for Updates from Fortinet
Regularly check official channels for Fortinet advisories and product updates of FortiGate devices. If and when Fortinet releases additional security patches, apply the relevant upgrades as soon as possible. More detailed instructions for upgrading firmware is available on official documentation pages.
Reset Firewall Credentials if Affected
Although credentials are typically hashed within network appliance configurations, threat actors are known to crack hashes offline, especially if credentials are weak and susceptible to dictionary attacks.
If you observe malicious activity similar to the malicious logs described in this security bulletin, assume that hashed firewall credentials stored in exfiltrated configurations have been compromised, and reset those credentials as soon as possible.
If a vulnerability is later identified and a patch is released for that vulnerability, be sure to reset credentials upon applying the latest patches to guard against the potential of credentials being exfiltrated and used at a later time on fully patched systems.
Limit Access to Management Interfaces of Network Appliances to Trusted Internal Users
Threat actors commonly target management interfaces of firewalls and VPNs for mass exploitation, often relying on specialized search engines that facilitate identification of specific hardware configurations.
In the last few years, Arctic Wolf observed multiple campaigns targeting management interfaces on firewalls and VPN gateways. Consider restricting all firewall management interface access to trusted internal networks as a security best security practice across all firewall configurations, regardless of network appliance vendor.
Workaround
Given that the threat activity described in this campaign involves malicious SSO logins, the following workaround offered by Fortinet for CVE-2025-59718 and CVE-2025-59719 may be worth considering.
If enabled, the FortiCloud SSO login feature can be turned off temporarily until Fortinet offers updated remediation information. To turn off FortiCloud login, go to System -> Settings -> Switch “Allow administrative login using FortiCloud SSO” to Off.
Or type the following command in the CLI:
config system global set admin-forticloud-sso-login disable end
Note: Due to uncertainty around the initial access method in this campaign, it is not known if this workaround will be fully effective against the observed activity.
