Security researchers have identified a new wave of automated intrusions against FortiGate firewall devices, beginning January 15, 2026, with attackers stealing configuration data, creating persistence accounts, and echoing tactics seen in December 2025’s SSO bypass campaign.
Attack Chain (Highly Automated)
- Initial Access:
- Malicious SSO logins initiated from hosting provider IPs.
- Primary intrusion accounts:
cloud-init@mail.io,cloud-noc@mail.io.
- Exfiltration:
- Immediately after login, attackers download system configuration files via the GUI.
- Persistence:
- Creation of secondary admin accounts within seconds.
- Common usernames:
secadmin,itadmin,remoteadmin,support,backup,audit.
- Automation confirmed: Logs show negligible time between login → config dump → account creation.
Vulnerability Context
- December 2025 disclosure (FG-IR-25-647):
- CVE-2025-59718 – Unauth SAML SSO bypass (FortiOS, FortiWeb, FortiProxy).
- CVE-2025-59719 – Unauth SAML SSO bypass (FortiOS, FortiWeb, FortiSwitchManager).
- Attackers crafted malicious SAML messages to bypass FortiCloud SSO.
- Current January 2026 attacks may leverage variants or patched flaws—still under investigation.
Indicators of Compromise (IOCs)
| IOC | Type | Description |
|---|---|---|
cloud-init@mail[.]io | Malicious account | Used for logins & config exfiltration |
cloud-noc@mail[.]io | Malicious account | Used for logins & config exfiltration |
104.28.244[.]115 | Source IP | Observed in SSO logins & downloads |
104.28.212[.]114 | Source IP | Observed in intrusions |
217.119.139[.]50 | Source IP | Observed in intrusions |
37.1.209[.]19 | Source IP | Observed in intrusions |
secadmin, itadmin, remoteadmin, support, backup, audit | Persistence accounts | Created post-access |
Mitigation Guidance
- Patch immediately: Apply Fortinet’s latest updates and consult upgrade guides.
- Credential hygiene: Reset all credentials; assume hashed creds may be cracked offline.
- Restrict management interfaces: Expose only to trusted internal networks.
- Disable FortiCloud SSO (workaround):Code
config system global set admin-forticloud-sso-login disable end - Threat hunting: Search logs for IOCs and anomalous SSO login activity.
- Monitor advisories: Follow Fortinet PSIRT updates closely.
Takeaway
This campaign shows how automated scripts can compromise FortiGate firewalls within seconds, exfiltrating sensitive configuration data and establishing persistence. With SSO bypass flaws (CVE-2025-59718/59719) still echoing in attacker tactics, organizations must patch urgently, restrict exposure, and hunt for IOCs to prevent deeper breaches.
Leave a Reply