Fortinet Confirms FortiCloud SSO Exploitation Against Patched Devices

Fortinet Confirms FortiCloud SSO Exploitation Against Patched Devices

Posted on By CWS

Fortinet on Thursday confirmed that current assaults are bypassing FortiCloud single sign-on (SSO) login authentication on gadgets totally patched in opposition to current vulnerabilities.

Leveraging automation, hackers are making configuration modifications to FortiGate firewalls so as to add new person accounts, allow VPN entry, and exfiltrate machine configuration recordsdata, Arctic Wolf warned this week.

The cybersecurity firm identified that the recent marketing campaign resembles December 2025 assaults concentrating on CVE-2025-59718 and CVE-2025-59719, two critical-severity defects impacting the FortiCloud SSO login characteristic of FortiOS, FortiWeb, FortiProxy, and FortiSwitch Supervisor gadgets.

Fortinet launched fixes for the 2 flaws in early December, warning that crafted SAML response messages may very well be used to bypass authentication on situations which have the FortiCloud SSO login characteristic enabled.

On Thursday, Fortinet confirmed earlier fears that the assaults had been profitable even in opposition to gadgets that had been patched in opposition to CVE-2025-59718 and CVE-2025-59719.

“We’ve recognized numerous circumstances the place the exploit was to a tool that had been totally upgraded to the most recent launch on the time of the assault, which steered a brand new assault path,” Fortinet mentioned.Commercial. Scroll to proceed studying.

“It is very important be aware that whereas, right now, solely exploitation of FortiCloud SSO has been noticed, this difficulty is relevant to all SAML SSO implementations,” it added.

Fortinet says it’s engaged on a repair, however couldn’t share particulars on its availability.

The corporate has shared indicators of compromise (IOCs) to assist prospects hunt for malicious exercise on their gadgets.

Organizations are suggested to dam administrative entry to edge gadgets from the web and limit it to native IP addresses.

“As an extra workaround we advocate disabling the FortiCloud SSO characteristic. This may forestall abuse by way of that methodology however not a third-party SSO system, so that is beneficial solely along side the local-in coverage,” Fortinet notes.

Associated: Organizations Warned of Exploited Zimbra Collaboration Vulnerability

Associated: Recent SmarterMail Flaw Exploited for Admin Entry

Associated: In Different Information: FortiSIEM Flaw Exploited, Sean Plankey Renominated, Russia’s Polish Grid Assault

Associated: Cisco Patches Vulnerability Exploited by Chinese language Hackers

Security Week News Tags:, , , , , ,

Related Posts

Exploited Rockwell Vulnerability in ICS Revealed Exploited Rockwell Vulnerability in ICS Revealed Security Week News
India Rolls Back Order to Preinstall Cybersecurity App on Smartphones India Rolls Back Order to Preinstall Cybersecurity App on Smartphones Security Week News
Cyber Insights 2026: Offensive Security; Where It is and Where Its Going Cyber Insights 2026: Offensive Security; Where It is and Where Its Going Security Week News
Former US Soldier Who Hacked AT&T and Verizon Pleads Guilty Former US Soldier Who Hacked AT&T and Verizon Pleads Guilty Security Week News
Vibe Coding Tested: AI Agents Nail SQLi but Fail Miserably on Security Controls Vibe Coding Tested: AI Agents Nail SQLi but Fail Miserably on Security Controls Security Week News
Oracle’s First 2026 CPU Delivers 337 New Security Patches Oracle’s First 2026 CPU Delivers 337 New Security Patches Security Week News