January 23, 2026 By Pierluigi Paganini
Fortinet confirmed attacks are bypassing FortiCloud SSO authentication, affecting even fully patched devices, similar to recent SSO flaws.
Fortinet confirmed attacks bypass FortiCloud SSO on fully patched devices. Threat actors automate firewall changes, add users, enable VPNs, and steal configs, in campaigns resembling December 2025 exploits of critical FortiCloud SSO flaws.
Arctic Wolf researchers reported a new automated attack cluster observed since January 15, 2026, targeting FortiGate devices. Attackers created generic accounts for persistence, enabled VPN access, and exfiltrated firewall configurations. The activity resembles a December 2025 campaign involving admin SSO logins and config theft. Arctic Wolf has detections in place and is monitoring the evolving threat.
“Starting on January 15, 2026, Arctic Wolf began observing a new cluster of automated malicious activity involving unauthorized firewall configuration changes on FortiGate devices.” reads the report published by Arctic Wolf. “This activity involved the creation of generic accounts intended for persistence, configuration changes granting VPN access to those accounts, as well as exfiltration of firewall configurations. “
In December 2025, Fortinet disclosed two critical SSO authentication bypass flaws, tracked as CVE-2025-59718 and CVE-2025-59719, which are improper verification of cryptographic signature issues.
Threat actors started exploiting the two critical flaws in Fortinet products days after patch release, Arctic Wolf warned.