FortiGate FortiCloud SSO abuse wave
Exploitation Wave
Summary
Hide ▲
Show ▼
Fortinet FortiGate devices are facing a new automated exploitation wave that uses FortiCloud SSO abuse to make unauthorized firewall configuration changes and establish persistent access. The activity began on January 15, 2026 and involved multiple source IPs abusing the [email protected] account. Attackers also created secondary accounts and granted VPN access, raising the risk of deeper network intrusion. The pattern is similar to a December 2025 campaign tied to CVE-2025-59718 and CVE-2025-59719.
Related Happenings
Fortinet security patch release for CVE-2026-44277
Security Patch Release
First: 12.05.2026 21:23
Last: 12.05.2026 21:23
Sources 1
About this happening:
Fortinet released **security updates** for **FortiSandbox** and **FortiAuthenticator** to fix **two critical vulnerabilities** that could let an **unauthenticated attacker** execu...
Fortinet security patch release for CVE-2026-44277
Security Patch ReleaseAbout this happening: Fortinet released **security updates** for **FortiSandbox** and **FortiAuthenticator** to fix **two critical vulnerabilities** that could let an **unauthenticated attacker** execu...
Sharp rise in brute-force attempts against SonicWall and Fortinet edge devices
Target Trend
First: 15.04.2026 12:30
Last: 15.04.2026 12:30
Sources 1
About this happening:
A **sharp rise** in brute-force attempts against **SonicWall** and **Fortinet** edge devices is increasing risk of perimeter-device compromise across organizations that rely on VP...
Sharp rise in brute-force attempts against SonicWall and Fortinet edge devices
Target TrendAbout this happening: A **sharp rise** in brute-force attempts against **SonicWall** and **Fortinet** edge devices is increasing risk of perimeter-device compromise across organizations that rely on VP...
Fortinet FortiClient EMS SQL injection actively exploited SQL injection flaw (CVE-2026-21643)
Vulnerability
First: 30.03.2026 10:48
Last: 30.03.2026 10:48
Sources 1
About this happening:
Active exploitation of **CVE-2026-21643** is putting **Fortinet FortiClient EMS** deployments at risk of **unauthenticated arbitrary code or command execution** on unpatched syste...
Fortinet FortiClient EMS SQL injection actively exploited SQL injection flaw (CVE-2026-21643)
VulnerabilityAbout this happening: Active exploitation of **CVE-2026-21643** is putting **Fortinet FortiClient EMS** deployments at risk of **unauthenticated arbitrary code or command execution** on unpatched syste...
FortiGate NGFW abuse campaign targeting healthcare, government, and managed service providers
Campaign
First: 10.03.2026 18:21
Last: 10.03.2026 18:21
Sources 1
About this happening:
A **new FortiGate abuse campaign** is using **FortiGate NGFW appliances** as entry points to breach victim networks, creating immediate risk for **healthcare**, **government**, an...
FortiGate NGFW abuse campaign targeting healthcare, government, and managed service providers
CampaignAbout this happening: A **new FortiGate abuse campaign** is using **FortiGate NGFW appliances** as entry points to breach victim networks, creating immediate risk for **healthcare**, **government**, an...
CyberStrikeAI observed on attacker infrastructure supporting FortiGate attack automation
Security Tool/Service
First: 03.03.2026 02:06
Last: 03.03.2026 02:06
Sources 1
About this happening:
**CyberStrikeAI** was observed on **attacker infrastructure** supporting a live **Fortinet FortiGate** attack campaign, showing the platform can be repurposed for offensive automa...
CyberStrikeAI observed on attacker infrastructure supporting FortiGate attack automation
Security Tool/ServiceAbout this happening: **CyberStrikeAI** was observed on **attacker infrastructure** supporting a live **Fortinet FortiGate** attack campaign, showing the platform can be repurposed for offensive automa...
Timeline
-
28.01.2026 10:05 1 articles · 3mo ago
Fortinet issues emergency patches for exploited FortiCloud SSO bypass
Mitigation Patch UpdateFortinet rolled out emergency patches for FortiOS, FortiManager, and FortiAnalyzer after confirming active exploitation of CVE-2026-24858, a FortiCloud SSO authentication bypass affecting FortiGate devices with FortiCloud SSO enabled. Fortinet said it blocked the malicious FortiCloud accounts used in the zero-day attacks, briefly disabled FortiCloud SSO on the FortiCloud side between January 26 and 27, and CISA added CVE-2026-24858 to its KEV catalog.
Show sources
- Fortinet Patches Exploited FortiCloud SSO Authentication Bypass — www.securityweek.com — 28.01.2026 10:05
-
22.01.2026 07:55 3 articles · 4mo ago
Automated FortiGate FortiCloud SSO abuse begins
Exploitation ObservedAutomated malicious activity against Fortinet FortiGate devices begins on January 15, 2026, with FortiCloud SSO logins against [email protected] from four IP addresses, export of firewall configuration files, creation of secondary accounts such as secadmin, itadmin, support, backup, remoteadmin, and audit, and VPN access changes intended to preserve access.
Show sources
- Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations — thehackernews.com — 22.01.2026 07:55
- Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations — thehackernews.com — 22.01.2026 07:55
- Fortinet Confirms Active FortiCloud SSO Bypass on Fully Patched FortiGate Firewalls — thehackernews.com — 23.01.2026 14:30
-
22.01.2026 07:55 1 articles · 4mo ago
Arctic Wolf discloses FortiGate FortiCloud SSO abuse cluster
Initial DisclosureArctic Wolf warns of a new automated malicious activity cluster against Fortinet FortiGate devices, describing unauthorized firewall configuration changes, persistence accounts, VPN access grants, and firewall configuration exfiltration, and advising administrators to disable admin-forticloud-sso-login.
Show sources
- Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations — thehackernews.com — 22.01.2026 07:55