SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Fortinet Confirms FortiCloud SSO Exploitation Against Patched Devices

Similar to recent FortiCloud single sign-on (SSO) login vulnerabilities, the attacks bypass authentication.
Fortinet vulnerability

Fortinet on Thursday confirmed that recent attacks are bypassing FortiCloud single sign-on (SSO) login authentication on devices fully patched against recent vulnerabilities.

Leveraging automation, hackers are making configuration changes to FortiGate firewalls to add new user accounts, enable VPN access, and exfiltrate device configuration files, Arctic Wolf warned this week.

The cybersecurity company pointed out that the fresh campaign resembles December 2025 attacks targeting CVE-2025-59718 and CVE-2025-59719, two critical-severity defects impacting the FortiCloud SSO login feature of FortiOS, FortiWeb, FortiProxy, and FortiSwitch Manager devices.

Fortinet released fixes for the two flaws in early December, warning that crafted SAML response messages could be used to bypass authentication on instances that have the FortiCloud SSO login feature enabled.

On Thursday, Fortinet confirmed previous fears that the attacks were successful even against devices that had been patched against CVE-2025-59718 and CVE-2025-59719.

“We have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path,” Fortinet said.

Advertisement. Scroll to continue reading.

“It is important to note that while, at this time, only exploitation of FortiCloud SSO has been observed, this issue is applicable to all SAML SSO implementations,” it added.

Fortinet says it is working on a fix, but could not share details on its availability.

The company has shared indicators of compromise (IOCs) to help customers hunt for malicious activity on their devices.

Organizations are advised to block administrative access to edge devices from the internet and restrict it to local IP addresses.

“As an additional workaround we recommend disabling the FortiCloud SSO feature. This will prevent abuse via that method but not a third-party SSO system, so this is recommended only in conjunction with the local-in policy,” Fortinet notes.

Related: Organizations Warned of Exploited Zimbra Collaboration Vulnerability

Related: Fresh SmarterMail Flaw Exploited for Admin Access

Related: In Other News: FortiSIEM Flaw Exploited, Sean Plankey Renominated, Russia’s Polish Grid Attack

Related: Cisco Patches Vulnerability Exploited by Chinese Hackers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: A Step-by-Step Approach to AI Governance
April 28, 2026

With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment.

Register

Virtual Event: Threat Detection and Incident Response Summit
May 20, 2026

Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization.

Register

People on the Move

Neill Feather has been named Chief Executive Officer at Point Wild.

Oasis Security has appointed Michael DeCesare as President.

Sterling Wilson has joined IGEL as Global Field CTO, Business Continuity and Disaster Recovery.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.