Request a Demo
Rewterz
Zoom Command Injection Bug Enables Remote Code Execution
January 21, 2026

Automated Attacks Breach FortiGate Firewalls, Exposing Configuration Data – Active IOCs

Severity

High

Analysis Summary

A newly observed wave of highly automated malicious activity is actively targeting FortiGate firewall devices, with activity beginning around January 15, 2026. Threat actors have been seen performing unauthorized configuration changes, creating new administrative accounts to maintain persistence, and exfiltrating sensitive firewall configuration files. This activity closely mirrors a December 2025 campaign that followed Fortinet’s disclosure of two critical FortiCloud SSO authentication bypass vulnerabilities, CVE-2025-59718 and CVE-2025-59719. While Fortinet has since confirmed active exploitation of the FortiCloud SSO bypass, it remains unclear whether the January attacks rely on the same flaws or on modified techniques that bypass existing patches.

Researcher indicates that the attacks are fully automated, with multiple stages of the attack chain occurring within seconds. Initial access is believed to involve malicious SSO logins originating from specific hosting provider IP addresses, most commonly using the account cloud-init@mail[.]io. Immediately after successful access, attackers download the full system configuration via the FortiGate GUI, effectively exfiltrating sensitive data such as network topology, credentials, and security policies. This rapid sequence strongly suggests scripted exploitation rather than manual attacker interaction.

Following configuration theft, the attackers establish persistence by creating additional administrative-level accounts on compromised devices. Frequently observed usernames include secadmin, itadmin, remoteadmin, support, backup, and audit, enabling long-term access even if the original entry point is closed. Arctic Wolf reports that the time gap between login, configuration export, and account creation is negligible, reinforcing confidence that this is a coordinated, multi-stage automated campaign rather than isolated incidents.

Defenders are advised to urgently monitor for known Indicators of Compromise, including malicious email-based admin accounts, suspicious SSO login activity, and source IPs such as 104.28.244[.]115104.28.212[.]114217.119.139[.]50, and 37.1.209[.]19. Mitigation steps include applying the latest Fortinet patches, resetting all credentials if compromise is suspected (as configuration files may allow offline password cracking), and restricting management interfaces to trusted networks only. As an immediate workaround, organizations can disable FortiCloud SSO to reduce exposure, while actively reviewing FortiGate logs and hunting for persistence accounts across their environments.

Impact

  • Gain Access

Indicators of Compromise

CVE

  • CVE-2025-59718

  • CVE-2025-59719

IP

  • 104.28.244.115
  • 104.28.212.114
  • 217.119.139.50
  • 37.1.209.19

Affected Vendors

Fortinet

Remediation

  • Apply the latest Fortinet security patches immediately for all affected products, including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, and closely monitor official advisories related to CVE-2025-59718 and CVE-2025-59719.
  • Temporarily disable FortiCloud SSO if it is not strictly required, as a risk-reduction measure against ongoing exploitation activity: config system global, set admin-forticloud-sso-login disable, end.
  • Reset all administrative and service account credentials if any suspicious activity is observed, since exported configuration files may enable offline password cracking.
  • Audit all FortiGate user accounts and immediately remove any unauthorized or suspicious administrative users, especially commonly abused names such as secadmin, itadmin, remoteadmin, support, backup, and audit.
  • Restrict FortiGate management interfaces (HTTPS, SSH, API) to trusted internal IP addresses or VPN-only access to reduce exposure to automated scanning and exploitation.
  • Review FortiGate system and authentication logs for anomalous SSO logins, rapid configuration exports, and near-instant account creation events originating from unfamiliar external IPs.
  • Actively hunt for known indicators of compromise, including malicious email-based admin accounts and IP addresses associated with this campaign, across firewall logs and SIEM platforms.
  • Ensure security monitoring and alerting are enabled for administrative logins, configuration downloads, privilege escalation, and persistence-related activities.
  • Strengthen defense-in-depth controls by enforcing least-privilege access, enabling multi-factor authentication where supported, and regularly validating firewall configurations for unauthorized changes.