Active Exploitation of FortiGate Firewalls via FortiCloud SSO Patch Bypass (CVE-2025-59718)
Arctic Wolf has observed a new cluster of automated malicious activity targeting FortiGate firewalls, involving unauthorized FortiCloud SSO logins, followed by rapid configuration changes and data exfiltration. Attackers leveraged SSO authentication bypass behavior consistent with CVE-2025-59718, creating generic administrator accounts for persistence, granting VPN access, and exporting full firewall configurations within seconds of initial access, strongly indicating scripted exploitation. Malicious logins commonly originated from hosting infrastructure and accounts, and activity patterns closely matched those of a similar campaign Arctic Wolf documented in December 2025. While initial access mechanics are still under investigation, the overlap in TTPs suggests continued exploitation or partial patch bypass of previously disclosed Fortinet SSO vulnerabilities. The activity follows Fortinet’s early December 2025 disclosure of a critical SSO authentication bypass flaw affecting FortiOS and related products, which allows unauthenticated access via crafted SAML messages when FortiCloud SSO is enabled. Despite patches released in FortiOS 7.4.9 and later, Fortinet has reportedly confirmed that current versions, including 7.4.10, may not fully remediate the issue, with additional releases planned. Until full remediation is available, organizations should immediately disable FortiCloud SSO, audit SSO login activity and rapid configuration exports, reset all potentially exposed firewall credentials, remove unauthorized accounts, and restrict management interface access to trusted internal networks only. This remains a developing situation, with Arctic Wolf maintaining active detections and further technical details expected as analysis continues.
Global Spam Campaign Abuses Unsecured Zendesk Ticket Systems
A large-scale spam campaign emerged that abused unsecured Zendesk customer support portals to generate mass volumes of unsolicited emails to victims worldwide. Threat actors exploited Zendesk configurations that allow unauthenticated users to submit support tickets, which automatically triggered confirmation emails to attacker-supplied addresses. By iterating through large email lists, attackers effectively weaponized these Zendesk instances as a relay spam platform. The resulting emails contained misleading and sometimes alarming subject lines impersonating legal notices, takedown orders, or official actions that explicitly referenced the affected organizations and government entities by name, including Discord, CD Projekt, and U.S. state agencies such as the Tennessee Department of Labor and the Tennessee Department of Revenue. This deliberate use of trusted brand and agency names increased perceived legitimacy and enabled the messages to bypass traditional spam filtering controls. Many emails also leveraged Unicode characters and erratic formatting to further amplify confusion and urgency. Although the messages did not contain malicious links or overt phishing content, their origin from legitimate corporate Zendesk systems significantly increased recipient alarm and operational disruption. Zendesk confirmed the abuse vector, referring to it as “relay spam,” and stated that new safeguards have been deployed, including enhanced monitoring and activity limits to detect anomalous behavior more rapidly. Zendesk also reiterated that organizations can reduce exposure by restricting ticket submission to verified users, enforcing email validation, and removing unrestricted placeholders for ticket subjects and sender addresses. While the campaign appears primarily disruptive rather than financially motivated, it underscores the growing risk of abuse-of-functionality attacks against SaaS platforms that prioritize frictionless user interaction over verification controls.
Phishing Campaign Impersonates LastPass Vault Backup Notifications
LastPass identified a phishing campaign impersonating official maintenance notifications that urge users to back up their password vaults within a fabricated 24-hour window. The emails are designed to create urgency and appear to be legitimate LastPass communications, using subject lines that reference infrastructure updates, maintenance, and vault security. Messages were observed originating from non-LastPass domains, including support@lastpass[.]server8 and support@sr22vegas[.]com, and directed recipients to click a “Create Backup Now” button. Users who followed the link were redirected to a spoofed domain, mail-lastpass[.]com, where attackers likely attempted to harvest account credentials or master passwords under the guise of creating an encrypted vault backup. LastPass confirmed that it does not request users to back up vaults via email and emphasized that it will never ask for master passwords, identifying this activity as a social engineering attempt exploiting urgency and trust. The company noted that the campaign was deliberately launched during a U.S. holiday weekend, likely to reduce response and detection effectiveness. As mitigation, users are advised to avoid interacting with unsolicited LastPass-related emails, verify maintenance notifications directly through the official LastPass application or website, and report suspected phishing attempts to abuse@lastpass.com. This campaign continues a broader trend of targeted phishing against password manager users, reinforcing the need for heightened email scrutiny and phishing-resistant authentication controls.
Malicious PyPI Package Impersonates SymPy to Deploy In-Memory Cryptominer
Socket’s Threat Research Team identified a malicious Python Package Index (PyPI) package, sympy-dev, designed to impersonate the widely used SymPy symbolic mathematics library, which sees approximately 85 million downloads per month. Published on January 17, 2026, the package reused SymPy branding and descriptions to increase credibility and achieved over 1,000 downloads within its first day, indicating rapid exposure to real developer and CI environments. The malicious releases (versions 1.2.3–1.2.6) embedded a covert loader within SymPy polynomial code paths, triggering execution only when specific functions were invoked, a tactic intended to blend into legitimate workflows and evade casual inspection. Upon activation, the backdoored functions retrieve a remote configuration and download a threat actor-controlled Linux ELF payload, executing it directly from memory using memfd_create and /proc/self/fd, thereby minimizing on-disk artifacts. Dynamic analysis confirmed that the second-stage payloads are XMRig cryptominers, communicating with attacker-controlled Stratum endpoints over TLS, though the loader is flexible enough to deliver arbitrary malware under the Python process’s privileges. Organizations should mitigate exposure by enforcing dependency pinning, using vetted or internal package repositories, monitoring Python processes for anomalous outbound connections or in-memory execution behavior, and rapidly removing the sympy-dev package from any affected environments.
