FortiGate FortiCloud SSO abuse wave
Exploitation Wave
Summary
Hide ▲
Show ▼
Fortinet FortiGate devices are facing a new automated exploitation wave that uses FortiCloud SSO abuse to make unauthorized firewall configuration changes and establish persistent access. The activity began on January 15, 2026 and involved multiple source IPs abusing the [email protected] account. Attackers also created secondary accounts and granted VPN access, raising the risk of deeper network intrusion. The pattern is similar to a December 2025 campaign tied to CVE-2025-59718 and CVE-2025-59719.
Related Happenings
FortiBleed multi-vendor brute-force wave
Exploitation Wave
H score75
First: 23.06.2026 21:20
Last: 23.06.2026 21:20
Sources 1
About this happening:
A **multi-vendor brute-force wave** tied to **FortiBleed** is hitting **Fortinet, Synology, Sophos, Citrix, RDWeb, and MS-SQL** targets, expanding the risk from one firewall-focus...
FortiBleed multi-vendor brute-force wave
Exploitation WaveAbout this happening: A **multi-vendor brute-force wave** tied to **FortiBleed** is hitting **Fortinet, Synology, Sophos, Citrix, RDWeb, and MS-SQL** targets, expanding the risk from one firewall-focus...
FortigateSniffer FortiOS packet-sniffer credential-harvesting tool
Malware Activity
H score72
First: 22.06.2026 23:01
Last: 22.06.2026 23:01
Sources 1
About this happening:
**FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...
FortigateSniffer FortiOS packet-sniffer credential-harvesting tool
Malware ActivityAbout this happening: **FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...
Initial access broker (IAB) campaign expands across multiple victims
Campaign
H score89
First: 22.06.2026 23:01
Last: 22.06.2026 23:01
Sources 1
About this happening:
The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...
Initial access broker (IAB) campaign expands across multiple victims
CampaignAbout this happening: The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...
Latest development: 23.06.2026 13:30
On June 15, attackers behind FortiBleed successfully cracked Kerberos hashes and immediately exfiltrated DFS backup data from a NATO-aligned defense contractor, extending the campaign from credential harvesting into direct data theft.
FortiGate firewall and SSL VPN customers data exposed after Fortinet breach
Data Leak
H score93
First: 22.06.2026 11:30
Last: 22.06.2026 11:30
Sources 1
About this happening:
The **FortiBleed** credential leak exposed **around 75,000 stolen logins** from **FortiGate firewall and SSL VPN customers**, creating immediate account-takeover risk for affected...
FortiGate firewall and SSL VPN customers data exposed after Fortinet breach
Data LeakAbout this happening: The **FortiBleed** credential leak exposed **around 75,000 stolen logins** from **FortiGate firewall and SSL VPN customers**, creating immediate account-takeover risk for affected...
CISA warning on FortiBleed for FortiGate customers
Public Sector Action
H score89
First: 19.06.2026 17:00
Last: 19.06.2026 17:00
Sources 1
About this happening:
**CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...
CISA warning on FortiBleed for FortiGate customers
Public Sector ActionAbout this happening: **CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...
Timeline
-
28.01.2026 10:05 1 articles · 5mo ago
Fortinet issues emergency patches for exploited FortiCloud SSO bypass
Mitigation Patch UpdateFortinet rolled out emergency patches for FortiOS, FortiManager, and FortiAnalyzer after confirming active exploitation of CVE-2026-24858, a FortiCloud SSO authentication bypass affecting FortiGate devices with FortiCloud SSO enabled. Fortinet said it blocked the malicious FortiCloud accounts used in the zero-day attacks, briefly disabled FortiCloud SSO on the FortiCloud side between January 26 and 27, and CISA added CVE-2026-24858 to its KEV catalog.
Show sources
- Fortinet Patches Exploited FortiCloud SSO Authentication Bypass — www.securityweek.com — 28.01.2026 10:05
-
22.01.2026 07:55 3 articles · 5mo ago
Automated FortiGate FortiCloud SSO abuse begins
Exploitation ObservedAutomated malicious activity against Fortinet FortiGate devices begins on January 15, 2026, with FortiCloud SSO logins against [email protected] from four IP addresses, export of firewall configuration files, creation of secondary accounts such as secadmin, itadmin, support, backup, remoteadmin, and audit, and VPN access changes intended to preserve access.
Show sources
- Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations — thehackernews.com — 22.01.2026 07:55
- Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations — thehackernews.com — 22.01.2026 07:55
- Fortinet Confirms Active FortiCloud SSO Bypass on Fully Patched FortiGate Firewalls — thehackernews.com — 23.01.2026 14:30
-
22.01.2026 07:55 1 articles · 5mo ago
Arctic Wolf discloses FortiGate FortiCloud SSO abuse cluster
Initial DisclosureArctic Wolf warns of a new automated malicious activity cluster against Fortinet FortiGate devices, describing unauthorized firewall configuration changes, persistence accounts, VPN access grants, and firewall configuration exfiltration, and advising administrators to disable admin-forticloud-sso-login.
Show sources
- Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations — thehackernews.com — 22.01.2026 07:55