Fortinet on Thursday confirmed that current assaults are bypassing FortiCloud single sign-on (SSO) login authentication on gadgets totally patched in opposition to current vulnerabilities.
Leveraging automation, hackers are making configuration modifications to FortiGate firewalls so as to add new person accounts, allow VPN entry, and exfiltrate machine configuration recordsdata, Arctic Wolf warned this week.
The cybersecurity firm identified that the recent marketing campaign resembles December 2025 assaults concentrating on CVE-2025-59718 and CVE-2025-59719, two critical-severity defects impacting the FortiCloud SSO login characteristic of FortiOS, FortiWeb, FortiProxy, and FortiSwitch Supervisor gadgets.
Fortinet launched fixes for the 2 flaws in early December, warning that crafted SAML response messages may very well be used to bypass authentication on situations which have the FortiCloud SSO login characteristic enabled.
On Thursday, Fortinet confirmed earlier fears that the assaults had been profitable even in opposition to gadgets that had been patched in opposition to CVE-2025-59718 and CVE-2025-59719.
“We’ve recognized numerous circumstances the place the exploit was to a tool that had been totally upgraded to the most recent launch on the time of the assault, which steered a brand new assault path,” Fortinet mentioned.Commercial. Scroll to proceed studying.
“It is very important be aware that whereas, right now, solely exploitation of FortiCloud SSO has been noticed, this difficulty is relevant to all SAML SSO implementations,” it added.
Fortinet says it’s engaged on a repair, however couldn’t share particulars on its availability.
The corporate has shared indicators of compromise (IOCs) to assist prospects hunt for malicious exercise on their gadgets.
Organizations are suggested to dam administrative entry to edge gadgets from the web and limit it to native IP addresses.
“As an extra workaround we advocate disabling the FortiCloud SSO characteristic. This may forestall abuse by way of that methodology however not a third-party SSO system, so that is beneficial solely along side the local-in coverage,” Fortinet notes.
Associated: Organizations Warned of Exploited Zimbra Collaboration Vulnerability
Associated: Recent SmarterMail Flaw Exploited for Admin Entry
Associated: In Different Information: FortiSIEM Flaw Exploited, Sean Plankey Renominated, Russia’s Polish Grid Assault
Associated: Cisco Patches Vulnerability Exploited by Chinese language Hackers
