VERY IMPORTANT

A new cluster of automated malicious activity involving unauthorized firewall configuration changes on FortiGate devices has been observed. The activity includes creation of generic accounts for persistence, configuration changes granting VPN access, and exfiltration of firewall configurations. The campaign bears similarities to a previous one described in December 2025, involving SSO login activity for administrator accounts. While the initial access details are not fully confirmed, it may be related to previously disclosed SSO vulnerabilities (CVE-2025-59718 and CVE-2025-59719). The malicious activity involves SSO logins from specific hosting providers, followed by configuration exports and creation of secondary accounts for persistence. The events occur within seconds, suggesting automated activity.