Arctic Wolf observes malicious configuration changes on Fortinet FortiGate

Arctic Wolf observes malicious configuration changes on Fortinet FortiGate devices via SSO accounts Source: arcticwolf.com/resources… Arctic Wolf reports a new cluster of automated attacks observed from Jan. 15, 2026, involving unauthorized configuration changes on FortiGate firewalls. The activity includes creation of generic accounts for persistence, VPN access being granted to those accounts, and exfiltration of firewall configurations. The campaign resembles activity Arctic Wolf disclosed in December 2025, which involved malicious SSO logins to administrator accounts followed by configuration changes and data exfiltration. Arctic Wolf has active detections in place and is alerting affected customers as additional cases are identified. The activity follows Fortinet’s December advisory on two critical authentication bypass vulnerabilities, CVE-2025-59718 and CVE-2025-59719, which allow unauthenticated SSO access via crafted SAML messages when FortiCloud SSO is enabled. Affected products include FortiOS, FortiWeb, FortiProxy and FortiSwitchManager. It remains unclear whether the latest activity is fully mitigated by the existing patches.