A new disturbing episode in the cybersecurity universe has come to light: researchers from the Arctic Wolf firm detected in mid-January 2026 an automated campaign that is changing Fortinet FortiGate firewall configurations without authorization. According to the analysis published by the company, the attackers have taken advantage of the unique login flow (SSO) linked to FortiCloud to access administrative consoles and exfilter configuration files.
The technical mechanics that allows this intrusion is based on SAML messages manipulated to remove authentication when FortiCloud's SSO functionality is activated on affected devices. Arctic Wolf identifies that the reached product families include FortiOS, FortiWeb, FortiProxy and FortiSwitchManager, and connects this activity to already catalogued vulnerabilities in the Fortinet ecosystem. In your report you can read a detailed analysis of the observed signs and the sequence of actions of the attacker: Arctic Wolf report.
Researchers describe a repetitive pattern: SSO session starts against a suspicious account called cloud-init @ mail.io from a specific set of IP addresses, and then export the configuration files via the graphical interface to the same addresses. The addresses indicated by Arctic Wolf include 104.28.244.115, 104.28.212.114, 217.119.139.50 and 37.1.209.19. In addition to this initial account, the attackers create secondary accounts with generic names - for example secadmin, itadmin, support, backup, remoteadmin or audit - with the apparent intention of maintaining persistent access to the device.
One feature that analysts highlight is speed: all relevant events happen in a matter of seconds, suggesting that the operation is automated. This automation facilitates the attacker to make configuration changes to provide VPN access to the created accounts and, in some cases, download the complete firewall configuration. It is important to stress that a security device configuration file usually contains rules, routes, certificates and sometimes credentials or references to secrets that an opponent can reuse to move laterally in a network or maintain long access.
The publication of Arctic Wolf comes at the same time that users in public forums report anomalous behavior. In a thread of Reddit several Fortinet administrators comment on malicious SSO session start in teams with applied patches, and one of the participants states that a Fortinet development team confirmed persistent problems in version 7.4.10. The discussion is available in Reddit here: thread in Reddit. In the meantime, Fortinet maintains its portal of safety notices and product documentation where patches and official recommendations are published: Fortinet Security Advisories and technical documentation of Fortinet.
While official confirmation and final patches depend on the manufacturer, Arctic Wolf and other experts have already proposed immediate mitigation measures. The most urgent actions include disabling the option that allows the start of administrative session via FortiCloud SSO in the affected teams ( admin-forticloud-sso-login), review the list of local administrators to detect unknown accounts, export and analyse access records and configuration exports, and limit access to management interfaces through access control lists or administrative tunnels from trusted IP addresses.
It is key to act quickly but with method: disable vulnerable functionality reduces the exposure surface, but does not replace a comprehensive verification process. After disable SSO it is appropriate to audit all recent changes, check integrity and confidence of certificates, force the change of affected passwords and keys, and close the newly created accounts. Response teams should look for signs of side movements or additional back door creation, as the display of configuration files may have provided the attacker with more information to pivote within the environment.
For those who manage FortiGate and other products of the Fortinet family, the short-term practical recommendation is to follow the instructions of security providers and update to the version that Fortinet officially publishes to correct the underlying vulnerabilities. In the meantime, it is prudent to apply compensatory controls: restrict administrative access, monitor export and configuration downloads, and maintain a record of the IP addresses from which access occurs. If you need a reference on why vulnerabilities in SAML flows can be critical, you can see technical material on SAML and its abuse vectors in the security community: OWASP documentation on SAML.
The situation is a reminder that convenience mechanisms such as cloud SSO bring operational benefits, but also risks if not combined with hardening and continuous monitoring controls. Security and operations teams must assume that automated operating attempts will continue until final mitigation is implemented and organize their responses accordingly: vector closure, forensic audit and deployment of official patches when available.
We will follow the evolution of the incident and the official publications of Fortinet and of response centres to update any recommendation. In the meantime, you can read the Arctic Wolf analysis and check the Fortinet guides and notices on the links mentioned above.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...