Threat Overview
In a recent publication dated 2026-01-22, security researchers from AlienVault identified a sophisticated wave of automated malicious activity targeting Fortinet FortiGate firewalls. The attackers exploit Single Sign-On (SSO) mechanisms to gain foothold and then perform unauthorized configuration changes, creating generic accounts for persistence, granting VPN access, and exfiltrating firewall configurations. The campaign mirrors a December 2025 incident that also leveraged SSO login activity for administrator accounts, suggesting a persistent threat actor or a shared toolset.
According to the report, the initial access vector is not fully confirmed, but the pattern strongly indicates exploitation of known SSO vulnerabilities, specifically CVE-2025-59718 and CVE-2025-59719. These vulnerabilities allow attackers to bypass authentication controls and obtain elevated privileges on FortiGate devices. The malicious activity is characterized by rapid execution: SSO logins from specific hosting providers, followed by configuration exports and the creation of secondary accounts, all occurring within seconds. This speed and automation point to a well‑engineered script or botnet designed for mass deployment.
Actor Profile
While the report does not disclose a definitive actor group name, the operational tempo, reuse of SSO exploits, and the focus on FortiGate devices suggest a highly skilled threat actor with deep knowledge of Fortinet products. The use of generic accounts and automated configuration changes aligns with tactics seen in advanced persistent threat (APT) campaigns that aim for long‑term persistence and lateral movement within corporate networks.
Technical Tactics, Techniques, and Procedures (TTPs)
- SSO Exploitation – Attackers leverage CVE-2025-59718/59719 to bypass authentication and gain administrative access.
2. Account Creation – Creation of generic user accounts with administrative privileges for persistence.
3. Configuration Modification – Unauthorized changes to firewall rules, VPN settings, and routing tables to facilitate future exfiltration or lateral movement.
4. Export and Exfiltration – Automated export of firewall configuration files, which may contain sensitive network topology and credential information.
5. Rapid Execution – The entire process completes within seconds, indicating automated scripts or a command‑and‑control (C2) infrastructure that orchestrates the attacks.
Indicators of Compromise (IOCs)
• Unusual SSO login events originating from known hosting providers.
• Creation of new user accounts with administrative roles that do not align with normal organizational patterns.
• Sudden changes to VPN access rules or the addition of new VPN tunnels.
• Export of firewall configuration files to external storage or cloud locations.
• Increased volume of configuration change logs within a short time frame.
Impact Assessment
The potential impact of this threat is significant. Unauthorized configuration changes can open new attack vectors, allow attackers to maintain persistence, and provide them with a foothold to move laterally across the network. Exfiltrated configuration files may reveal critical network details, enabling attackers to craft more targeted attacks. The rapid nature of the attacks means that defenders may not detect the compromise until after the damage has been done.
Recommendations for Mitigation
- Patch Management – Immediately apply the latest Fortinet firmware updates that address CVE-2025-59718 and CVE-2025-59719. Maintain a rigorous patching schedule for all network devices.
2. SSO Hardening – Configure SSO to enforce multi‑factor authentication (MFA) and restrict access to trusted IP ranges. Disable or limit the use of SSO for administrative accounts where possible.
3. Account Governance – Implement strict role‑based access control (RBAC). Regularly audit user accounts, especially newly created or dormant accounts, and enforce the principle of least privilege.
4. Configuration Monitoring – Enable comprehensive logging of configuration changes. Use a configuration management database (CMDB) or a dedicated configuration monitoring tool to detect unauthorized modifications in real time.
5. Backup and Recovery – Maintain secure, offline backups of firewall configurations. Test restore procedures regularly to ensure rapid recovery in case of compromise.
6. Network Segmentation – Segment critical network segments and isolate FortiGate management interfaces from the broader network. Use VLANs and firewall rules to limit lateral movement.
7. Threat Intelligence Integration – Subscribe to threat intelligence feeds that provide early warnings about emerging FortiGate vulnerabilities and related attack patterns. Incorporate IOC alerts into your security information and event management (SIEM) system.
8. Incident Response Planning – Update your incident response playbooks to include scenarios involving automated configuration changes and SSO exploitation. Conduct tabletop exercises to validate response readiness.
Conclusion
Fortinet FortiGate devices are under active attack from actors who exploit SSO vulnerabilities to perform rapid, automated configuration changes. By following the recommendations above—particularly patching, SSO hardening, and vigilant monitoring—organizations can reduce the attack surface and detect malicious activity before it escalates. Continuous vigilance, coupled with proactive threat intelligence, remains essential in defending against this evolving threat landscape.

