top of page
Search

Fortinet Warns of Active FortiCloud SSO Bypass Impacting Patched Devices

  • Jan 23
  • 1 min read

Key Findings


  • Fortinet confirmed attacks are bypassing FortiCloud SSO authentication, affecting even fully patched devices, similar to recent SSO flaws.

  • Threat actors automate firewall changes, add users, enable VPNs, and steal configs, in campaigns resembling December 2025 exploits of critical FortiCloud SSO flaws.

  • Arctic Wolf researchers reported a new automated attack cluster observed since January 15, 2026, targeting FortiGate devices.

  • Attackers created generic accounts for persistence, enabled VPN access, and exfiltrated firewall configurations.

  • The activity resembles a December 2025 campaign involving admin SSO logins and config theft.


Background


In December 2025, Fortinet disclosed two critical SSO authentication bypass flaws, tracked as CVE-2025-59718 and CVE-2025-59719, which are improper verification of cryptographic signature issues. Threat actors started exploiting the two critical flaws in Fortinet products days after patch release, Arctic Wolf warned.


Ongoing Attacks


  • Arctic Wolf researchers observed attackers began exploiting critical Fortinet authentication bypass flaws on December 12, just three days after patches were issued.

  • The attacks involved malicious SSO logins on FortiGate devices, mainly targeting admin accounts from multiple hosting providers.

  • After gaining access, the attackers exported device configurations via the GUI, which include hashed credentials that can be cracked offline.


Recent Developments


  • This week, Fortinet confirmed that attacks succeeded even against devices patched for CVE-2025-59718 and CVE-2025-59719.

  • The company identified a new attack path after observing login exploits on fully updated devices.

  • Fortinet is developing a fix, in the meantime, it released IOCs to aid threat hunting.

  • Customers are urged to restrict admin access, limit it to local IPs, and temporarily disable FortiCloud SSO as a workaround.


Sources


  • https://securityaffairs.com/187250/security/fortinet-warns-of-active-forticloud-sso-bypass-affecting-updated-devices.html

  • https://thehackernews.com/2026/01/fortinet-confirms-active-forticloud-sso.html

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page