top of page
Search

Fortinet Warns of Active FortiCloud SSO Bypass Impacting Patched Devices

  • Jan 23
  • 1 min read

Key Findings


  • Fortinet confirmed attacks are bypassing FortiCloud SSO authentication, affecting even fully patched devices, similar to recent SSO flaws.

  • Threat actors automate firewall changes, add users, enable VPNs, and steal configs, in campaigns resembling December 2025 exploits of critical FortiCloud SSO flaws.

  • Arctic Wolf researchers reported a new automated attack cluster observed since January 15, 2026, targeting FortiGate devices.

  • Attackers created generic accounts for persistence, enabled VPN access, and exfiltrated firewall configurations.

  • The activity resembles a December 2025 campaign involving admin SSO logins and config theft.


Background


In December 2025, Fortinet disclosed two critical SSO authentication bypass flaws, tracked as CVE-2025-59718 and CVE-2025-59719, which are improper verification of cryptographic signature issues. Threat actors started exploiting the two critical flaws in Fortinet products days after patch release, Arctic Wolf warned.


Ongoing Attacks


  • Arctic Wolf researchers observed attackers began exploiting critical Fortinet authentication bypass flaws on December 12, just three days after patches were issued.

  • The attacks involved malicious SSO logins on FortiGate devices, mainly targeting admin accounts from multiple hosting providers.

  • After gaining access, the attackers exported device configurations via the GUI, which include hashed credentials that can be cracked offline.


Recent Developments


  • This week, Fortinet confirmed that attacks succeeded even against devices patched for CVE-2025-59718 and CVE-2025-59719.

  • The company identified a new attack path after observing login exploits on fully updated devices.

  • Fortinet is developing a fix, in the meantime, it released IOCs to aid threat hunting.

  • Customers are urged to restrict admin access, limit it to local IPs, and temporarily disable FortiCloud SSO as a workaround.


Sources


  • https://securityaffairs.com/187250/security/fortinet-warns-of-active-forticloud-sso-bypass-affecting-updated-devices.html

  • https://thehackernews.com/2026/01/fortinet-confirms-active-forticloud-sso.html

Recent Posts

See All

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page