**Arctic Wolf Detects Surge in Automated Fortinet FortiGate Firewall Configuration Attacks**

A critical wave of automated attacks has been detected by Arctic Wolf, targeting Fortinet's FortiGate devices with unauthorized firewall configuration changes. The researchers at Arctic Wolf have warned about this new threat cluster observed since January 15, 2026, which bears a striking resemblance to a similar campaign in December 2025.

Arctic Wolf's report reveals that the attackers created generic accounts for persistence, enabled VPN access, and exfiltrated firewall configurations. This malicious activity started on January 15, 2026, and is believed to be highly automated, with actions occurring within seconds of gaining access.

The threat actors behind this campaign are exploiting critical SSO authentication bypass flaws, tracked as CVE-2025-59718 and CVE-2025-59719, which were disclosed by Fortinet in December 2025. These improper verification of cryptographic signature issues allow attackers to bypass authentication controls and gain unauthorized access to FortiGate devices.

Arctic Wolf researchers observed that the attacks began just three days after patches were issued for these critical flaws. The malicious SSO logins targeted admin accounts from multiple hosting providers, with a focus on the [email protected] account. After gaining access, the attackers quickly exported device configurations via the GUI, which include hashed credentials that can be attempted to crack offline, increasing the risk of further compromise.

The Indicators of Compromise (IoCs) published by Arctic Wolf provide valuable insights into the tactics, techniques, and procedures (TTPs) used by these threat actors. The report highlights the importance of staying vigilant and implementing robust security measures to prevent such attacks from succeeding.

"Starting on January 15, 2026, Arctic Wolf began observing a new cluster of automated malicious activity involving unauthorized firewall configuration changes on FortiGate devices," reads the report published by Arctic Wolf. "This activity involved the creation of generic accounts intended for persistence, configuration changes granting VPN access to those accounts, as well as exfiltration of firewall configurations."

Arctic Wolf has detections in place and is closely monitoring the evolving threat. The company warns that organizations using Fortinet's FortiGate devices should be aware of this new wave of attacks and take immediate action to prevent unauthorized access and configuration changes.

**Indicators of Compromise (IoCs) Published by Arctic Wolf:**

* Generic account creation for persistence * VPN access enabled on generic accounts * Exfiltration of firewall configurations via GUI

**Recommendations:**

* Stay vigilant and monitor your FortiGate devices closely * Implement robust security measures to prevent unauthorized access * Regularly update and patch your systems to prevent exploitation of critical flaws * Be aware of the tactics, techniques, and procedures (TTPs) used by these threat actors

**Follow @securityaffairs on Twitter, Facebook, and Mastodon for the latest updates on cybersecurity news and threats.