Automated Malicious Campaign Targets Fortinet FortiGate Devices via Unauthorized Firewall Configurations
cybersecurityFortinetFortiGatefirewallmalwareSSOunauthorized_accesscyberattackthreat_intelligencenetwork_security
Arctic Wolf has reported a new wave of automated malicious activity targeting Fortinet FortiGate devices, involving unauthorized modifications to firewall configurations. This activity began on January 15, 2026, and shares similarities with a December 2025 campaign where malicious SSO connections on FortiGate appliances were recorded against the admin account. Attackers are exploiting FortiCloud SSO to alter firewall configurations.