Malicious Configuration Changes Observed On Fortinet FortiGate Devices via SSO Accounts
Essential information
- Published
- 22/01/2026 00:39
- Modified
- 22/01/2026 11:19
- Tags
- 2026-01-22 CVE-2025-59718 CVE-2025-59719 configuration changes exfiltration firewall fortigate persistence sso unauthorized access vpn
- Related entities
- 5 vulnerabilities (cve), 5 observables
Description
A new cluster of automated malicious activity involving unauthorized firewall configuration changes on FortiGate devices has been observed. The activity includes creation of generic accounts for persistence, configuration changes granting VPN access, and exfiltration of firewall configurations. The campaign bears similarities to a previous one described in December 2025, involving SSO login activity for administrator accounts. While the initial access details are not fully confirmed, it may be related to previously disclosed SSO vulnerabilities (CVE-2025-59718 and CVE-2025-59719). The malicious activity involves SSO logins from specific hosting providers, followed by configuration exports and creation of secondary accounts for persistence. The events occur within seconds, suggesting automated activity.