Cybersecurity company Arctic Wolf recently began seeing a new cluster of automated malicious activity targeting Fortinet FortiGate devices. This threat, starting January 15, 2026, is the result of hidden backdoor updates to firewall settings. This unfortunate development brings to light the lack of security for these ubiquitous network appliances.
The latest hostile acts are the result of a concerted campaign that first started in December 2025. It takes advantage of vulnerabilities CVE-2025-59718 and CVE-2025-59719. In the last case, threat actors exploited their access to take over admin accounts on FortiGate appliances. They performed malicious Single Sign-On (SSO) logins using accounts authenticated through other hosted providers. The ongoing activity reflects many of these same things, pointing to an increasingly dynamic and complex threat landscape.
Details of the Malicious Activity
In the past few weeks, threat actors have opened a new floodgate of attacks. They’ve been using secondary accounts with names like “secadmin,” “itadmin,” “support,” “backup,” “remoteadmin,” and “audit.” This tactic seems to be focused on making sure that access is enduring inside the systems that they have compromised. After gaining unauthorized access through malicious SSO logins, the attackers exported firewall configuration files to four distinct IP addresses: 104.28.244.115, 104.28.212.114, 217.119.139.50, and 37.1.209.19.
The threat actors’s actions were blazingly fast, as well as synchronized. Arctic Wolf noted, “All of the above events took place within seconds of each other, indicating the possibility of automated activity.” The quick timing in the use of these moves indicates a great degree of sophistication in the offense’s attack plan.
Vulnerabilities Exploited
Even though some of these users have reported that they are running the latest FortiOS with all patches applied, the threat continued. A member of a Reddit forum highlighted that “Fortinet developer team has confirmed the vulnerability persists or is not fixed in version 7.4.10.” This shocking revelation highlights the ongoing need for Fortinet customers to stay on their toes and take other precautions to secure their networks.
Arctic Wolf emphasized the serious implications of this automated attack, stating, “This activity involved the creation of generic accounts intended for persistence, configuration changes granting VPN access to those accounts, as well as exfiltration of firewall configurations.” This statement underscores the key aspect of the attack and what makes it so damaging to network security.
Response and Recommendations
As this threat develops, cybersecurity professionals advise all agencies that use Fortinet FortiGate appliances to revisit their security measures. Identifying abnormal SSO login behavior and auditing accounts to identify unauthorized new users must be high on the to-do list.
Additionally, all companies need to be vigilant about updating or applying any Fortinet patches that rectify these vulnerabilities. These attacks still happening serve as a stark reminder of how important advanced cybersecurity practices are. They’re CBP’s frontline defenders against invasive species that protect our network infrastructure.