Arctic Wolf has identified a new surge of automated attacks targeting Fortinet FortiGate devices to modify firewall configurations without authorization. These intrusions involve the creation of persistent accounts and the theft of device settings, likely building upon exploits of critical authentication bypass flaws first observed in late 2025.

Arctic Wolf researchers recently identified a new cluster of automated malicious activity that began on January 15, 2026. This campaign specifically targets FortiGate devices through unauthorized configuration changes. The attackers focus on establishing long-term access by creating generic accounts and modifying VPN settings. Once persistence is secured, the actors quickly exfiltrate firewall configurations, which can contain sensitive data for further exploitation.

The current wave of attacks appears to be an evolution of a threat first detected in December 2025. At that time, Fortinet disclosed two critical vulnerabilities related to SSO authentication bypass, identified as CVE-2025-59718 and CVE-2025-59719. These flaws involve the improper verification of cryptographic signatures, providing a window for attackers to bypass security protocols. Arctic Wolf noted that exploitation began only three days after the official patches were released.

In the earlier December campaign, threat actors utilized malicious SSO logins to target administrative accounts on FortiGate devices. After gaining entry, the attackers used the graphical user interface to export device configurations. These exported files are particularly dangerous because they include hashed credentials. If attackers successfully crack these hashes offline, they can gain deeper access to the network and elevate their privileges.

The most recent activity shows a high degree of efficiency and automation, with many malicious actions occurring within seconds of access. Attackers have been observed using a specific set of hosting providers to launch logins, frequently targeting the cloud-init@mail.io account. By rapidly creating secondary administrator accounts and exporting configurations, the actors ensure they maintain a foothold even if the initial entry point is discovered.

Arctic Wolf continues to monitor this evolving threat and has implemented specific detections to protect its customers. The researchers have also released indicators of compromise to help organizations identify and mitigate potential breaches. Users of Fortinet products are encouraged to review their logs for unauthorized administrative activity and ensure all security patches are applied to prevent automated exploitation.

Source: Arctic Wolf Detects Surge In Automated FortiGate Firewall Configuration Attacks