Fortinet Confirms Active FortiCloud SSO Bypass on Fully Patched FortiGate Firewalls

Fortinet Confirms Active FortiCloud SSO Bypass on Fully Patched FortiGate Firewalls

Posted on By CWS

Ravie LakshmananJan 23, 2026Network Safety / Vulnerability
Fortinet has formally confirmed that it is working to fully plug a FortiCloud SSO authentication bypass vulnerability following stories of recent exploitation exercise on fully-patched firewalls.
“Within the final 24 hours, we have now recognized quite a lot of circumstances the place the exploit was to a tool that had been totally upgraded to the newest launch on the time of the assault, which instructed a brand new assault path,” Fortinet Chief Data Safety Officer (CISO) Carl Windsor stated in a Thursday submit.
The exercise basically mounts to a bypass for patches put in place by the community safety vendor to deal with CVE-2025-59718 and CVE-2025-59719, which may permit unauthenticated bypass of SSO login authentication through crafted SAML messages if the FortiCloud SSO function is enabled on affected units. The problems had been initially addressed by Fortinet final month.
Nonetheless, earlier this week, stories emerged of renewed exercise during which malicious SSO logins on FortiGate home equipment had been recorded towards the admin account on units that had been patched towards the dual vulnerabilities. The exercise is much like incidents noticed in December, shortly after the disclosure of the CVE-2025-59718 and CVE-2025-59719.

The exercise entails the creation of generic accounts for persistence, making configuration adjustments granting VPN entry to these accounts, and the exfiltration of firewall configurations to totally different IP addresses. The risk actor has been noticed logging in with accounts named “[email protected]” and “[email protected].”
As mitigations, the corporate is urging the next actions –

Prohibit administrative entry of edge community machine through the web by making use of a local-in coverage
Disable FortiCloud SSO logins by disabling “admin-forticloud-sso-login”

“You will need to observe that whereas, right now, solely exploitation of FortiCloud SSO has been noticed, this subject is relevant to all SAML SSO implementations,” Fortinet stated.

The Hacker News Tags:, , , , , , , , ,

Related Posts

Hyper-Volumetric DDoS Attacks Reach Record 7.3 Tbps, Targeting Key Global Sectors Hyper-Volumetric DDoS Attacks Reach Record 7.3 Tbps, Targeting Key Global Sectors The Hacker News
TAG-150 Develops CastleRAT in Python and C, Expanding CastleLoader Malware Operations TAG-150 Develops CastleRAT in Python and C, Expanding CastleLoader Malware Operations The Hacker News
Critical Sudo Vulnerabilities Let Local Users Gain Root Access on Linux, Impacting Major Distros Critical Sudo Vulnerabilities Let Local Users Gain Root Access on Linux, Impacting Major Distros The Hacker News
Akira Ransomware Exploits SonicWall VPNs in Likely Zero-Day Attack on Fully-Patched Devices Akira Ransomware Exploits SonicWall VPNs in Likely Zero-Day Attack on Fully-Patched Devices The Hacker News
Hackers Used Snappybee Malware and Citrix Flaw to Breach European Telecom Network Hackers Used Snappybee Malware and Citrix Flaw to Breach European Telecom Network The Hacker News
Cisco Warns of CVSS 10.0 FMC RADIUS Flaw Allowing Remote Code Execution Cisco Warns of CVSS 10.0 FMC RADIUS Flaw Allowing Remote Code Execution The Hacker News