Imagine waking up to find your firewall configurations have been silently altered by an automated attack—a chilling reality for some Fortinet FortiGate users. But here's where it gets even more alarming: Cybersecurity firm Arctic Wolf has uncovered a sophisticated campaign exploiting FortiCloud's Single Sign-On (SSO) feature to make unauthorized changes, leaving networks vulnerable. This isn't the first time FortiGate devices have been targeted; a similar wave of attacks in December 2025 leveraged vulnerabilities CVE-2025-59718 and CVE-2025-59719 to bypass SSO authentication. These flaws, affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, allow attackers to slip past defenses using crafted SAML messages when SSO is enabled.
And this is the part most people miss: The attackers aren't just making random changes—they're creating backdoor accounts like 'cloud-init@mail.io' and others (e.g., 'secadmin,' 'itadmin') to ensure long-term access. These accounts are granted VPN privileges, and firewall configurations are swiftly exfiltrated to malicious IP addresses, including 104.28.244[.]115, 104.28.212[.]114, 217.119.139[.]50, and 37.1.209[.]19. The speed and precision of these actions suggest automation, making the threat even more daunting.
What’s particularly concerning is that these attacks are occurring even on fully patched FortiOS devices, as multiple users on Reddit have reported. One user claims the Fortinet developer team confirmed the vulnerability persists in version 7.4.10, raising questions about the effectiveness of current patches. Is this a case of zero-day exploits, or are existing fixes falling short?
While Fortinet has yet to comment, Arctic Wolf advises disabling the 'admin-forticloud-sso-login' setting as a temporary safeguard. But this workaround isn’t foolproof—it limits functionality and doesn’t address the root issue. Should organizations rely on vendor patches, or is it time to rethink SSO implementations entirely?
This evolving threat highlights the delicate balance between convenience and security in SSO systems. As attackers grow more sophisticated, defenders must stay one step ahead. What measures are you taking to protect your network? Share your thoughts in the comments—let’s spark a conversation about the future of cybersecurity in an increasingly automated threat landscape.
Stay informed and secure—follow us on Google News, Twitter, and LinkedIn for more exclusive insights like this.
