Surgical Silence: The New Fortinet Zero-Day That Hijacks Firewalls in Seconds

Cybersecurity specialists at Arctic Wolf have identified a nascent wave of incursions targeting Fortinet FortiGate firewalls. Adversaries are orchestrating a mass recalibration of device configurations to secure unauthorized access and establish systemic persistence within corporate infrastructures—a process executed with almost surgical, autonomous precision.

This campaign, which commenced on January 15, 2026, manifests as a comprehensively automated offensive. The incursion begins with attackers infiltrating systems via Single Sign-On (SSO) credentials, followed by the rapid creation of auxiliary technical accounts to ensure perpetual access. They subsequently modify settings to grant themselves entry into Virtual Private Networks (VPNs) and exfiltrate comprehensive firewall configurations. Arctic Wolf observes that these maneuvers are concluded within mere seconds, a velocity that unequivocally signals the deployment of sophisticated scripts and mechanical automation.

The current trajectory bears a striking resemblance to a phenomenon reported in December 2025, which likewise involved administrative entries via SSO followed by configuration tampering and data exfiltration from FortiGate hardware.

Fortinet previously issued an advisory regarding two critical vulnerabilities—CVE-2025-59718 and CVE-2025-59719—which facilitated the circumvention of authentication protocols through meticulously crafted SAML (Security Assertion Markup Language) assertions. When FortiCloud SSO was active, these flaws permitted adversaries to authorize themselves without a password, imperiling a diverse array of products including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.

It remains to be definitively established whether this latest surge is directly tethered to these specific vulnerabilities or if existing patches sufficiently mitigate the threat. Arctic Wolf emphasizes that the precise vector for initial ingress has yet to be finalized. During these raids, attackers utilize generic identifiers such as cloud-init@mail.io and forge new accounts with titles like secadmin, itadmin, and remoteadmin. Upon securing a foothold, they harvest firewall configuration files and adjust secondary access parameters.

Experts warn that even if passwords within these configurations are hashed, they remain susceptible to offline brute-force attempts, particularly in the presence of weak entropy. Consequently, upon any suspicion of compromise, it is imperative to rotate administrative and service account credentials immediately.

As an interim defensive measure, organizations should consider deactivating FortiCloud SSO pending further clarification or remedial updates from Fortinet. Furthermore, it is strongly advised to restrict access to management interfaces exclusively to trusted internal networks, as these endpoints represent the primary targets for mass-scale automated incursions.