MUST READ

Arctic Wolf detects surge in automated Fortinet FortiGate firewall configuration attacks

 | 

U.S. CISA adds a flaw in Cisco Unified Communications products to its Known Exploited Vulnerabilities catalog

 | 

Zoom fixed critical Node Multimedia Routers flaw

 | 

ACME flaw in Cloudflare allowed attackers to reach origin servers

 | 

Crooks impersonate LastPass in campaign to harvest master passwords

 | 

VoidLink shows how one developer used AI to build a powerful Linux malware

 | 

PDFSIDER Malware - Exploitation of DLL Side-Loading for AV and EDR Evasion

 | 

Access broker caught: Jordanian pleads guilty to hacking 50 companies

 | 

Critical TP-Link VIGI camera flaw allowed remote takeover of surveillance systems

 | 

Telegram-based illicit billionaire marketplace Tudou Guarantee stopped transactions

 | 

UK NCSC warns of Russia-linked hacktivists DDoS attacks

 | 

Ransomware attack on Ingram Micro impacts 42,000 individuals

 | 

StealC malware control panel flaw leaks details on active attacker

 | 

Hacker pleads guilty to hacking Supreme Court, AmeriCorps, and VA Systems

 | 

Hacktivists hijacked Iran ’s state TV to air anti-regime messages and an appeal to protest from Reza Pahlavi

 | 

GootLoader uses malformed ZIP files to bypass security controls

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 80

 | 

Security Affairs newsletter Round 559 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Ukraine–Germany operation targets Black Basta, Russian leader wanted

 | 

China-linked APT UAT-8837 targets North American critical infrastructure

 | 

Arctic Wolf detects surge in automated Fortinet FortiGate firewall configuration attacks

Pierluigi Paganini January 22, 2026

Arctic Wolf warned of a new wave of automated attacks making unauthorized firewall configuration changes on Fortinet FortiGate devices.

Arctic Wolf researchers reported a new automated attack cluster observed since January 15, 2026, targeting FortiGate devices. Attackers created generic accounts for persistence, enabled VPN access, and exfiltrated firewall configurations. The activity resembles a December 2025 campaign involving admin SSO logins and config theft. Arctic Wolf has detections in place and is monitoring the evolving threat.

“Starting on January 15, 2026, Arctic Wolf began observing a new cluster of automated malicious activity involving unauthorized firewall configuration changes on FortiGate devices.” reads the report published by Arctic Wolf. “This activity involved the creation of generic accounts intended for persistence, configuration changes granting VPN access to those accounts, as well as exfiltration of firewall configurations. “

In December 2025, Fortinet disclosed two critical SSO authentication bypass flaws, tracked as CVE-2025-59718 and CVE-2025-59719, which are improper verification of cryptographic signature issues.

Threat actors started exploiting the two critical flaws in Fortinet products days after patch release, Arctic Wolf warned.

Arctic Wolf researchers observed attackers began exploiting critical Fortinet authentication bypass flaws on December 12, just three days after patches were issued. The attacks involved malicious SSO logins on FortiGate devices, mainly targeting admin accounts from multiple hosting providers. After gaining access, the attackers exported device configurations via the GUI. These files include hashed credentials, which threat actors can attempt to crack offline, increasing the risk of further compromise.

Recent intrusions show malicious SSO logins from a small set of hosting providers, often targeting the [email protected] account. After successful SSO access, attackers quickly exported firewall configurations via the GUI and created secondary admin accounts for persistence. These actions occurred within seconds, suggesting highly automated activity.

The researchers published Indicators of Compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet FortiGate)

Fortinet Fortinet FortiGate Hacking hacking news information security news IT Information Security Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini January 21, 2026
Cisco fixed actively exploited Unified Communications zero day
Read more
Pierluigi Paganini January 21, 2026
Zoom fixed critical Node Multimedia Routers flaw
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

recent articles

Arctic Wolf detects surge in automated Fortinet FortiGate firewall configuration attacks

Hacking / January 22, 2026

U.S. CISA adds a flaw in Cisco Unified Communications products to its Known Exploited Vulnerabilities catalog

Uncategorized / January 22, 2026

Zoom fixed critical Node Multimedia Routers flaw

Security / January 21, 2026

ACME flaw in Cloudflare allowed attackers to reach origin servers

Security / January 21, 2026

Crooks impersonate LastPass in campaign to harvest master passwords

Cyber Crime / January 21, 2026