Fortinet Addresses Active FortiCloud SSO Bypass Exploitation on Fully Patched FortiGate Firewalls
Fortinet has acknowledged ongoing exploitation of a FortiCloud Single Sign-On (SSO) authentication bypass vulnerability, even on fully updated FortiGate firewalls. This development follows reports of unauthorized access incidents targeting devices that had been patched against previously identified vulnerabilities.
In a statement released on January 23, 2026, Fortinet’s Chief Information Security Officer, Carl Windsor, noted, In the last 24 hours, we have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path.
This situation indicates that threat actors have discovered methods to circumvent existing security measures designed to address vulnerabilities CVE-2025-59718 and CVE-2025-59719. These vulnerabilities, initially patched in December 2025, allowed unauthenticated bypass of SSO login authentication via crafted SAML messages when the FortiCloud SSO feature was enabled.
Background on the Vulnerabilities
CVE-2025-59718 and CVE-2025-59719 are critical vulnerabilities affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. They stem from improper verification of cryptographic signatures, enabling attackers to bypass SSO login authentication through specially crafted SAML messages. While FortiCloud SSO is disabled by default, it becomes enabled during FortiCare registration unless administrators explicitly disable it.
Following the initial disclosure and patching of these vulnerabilities, reports emerged of renewed exploitation activities. Cybersecurity firm Arctic Wolf observed malicious SSO logins on FortiGate appliances, even those that had been patched. These incidents involved unauthorized access to admin accounts, creation of generic accounts for persistence, configuration changes granting VPN access to these accounts, and exfiltration of firewall configurations to various IP addresses.
Details of the Exploitation
The recent exploitation activities have been characterized by:
– Unauthorized SSO Logins: Attackers have been logging into FortiGate devices using malicious SSO credentials, targeting the admin account.
– Creation of Persistent Accounts: Accounts with names like [email protected] and [email protected] have been created to maintain access.
– Configuration Changes: Modifications have been made to firewall configurations to grant VPN access to these unauthorized accounts.
– Data Exfiltration: Firewall configurations have been exported to external IP addresses, indicating potential data theft.
These activities suggest a high level of automation, with events occurring within seconds of each other. The source IP addresses associated with these activities include:
– 104.28.244[.]115
– 104.28.212[.]114
– 217.119.139[.]50
– 37.1.209[.]19
Mitigation Measures
In response to these ongoing threats, Fortinet recommends the following actions:
1. Restrict Administrative Access: Limit administrative access to edge network devices via the internet by applying a local-in policy.
2. Disable FortiCloud SSO Logins: Disable the FortiCloud SSO login feature by setting admin-forticloud-sso-login to disable.
It’s important to note that while current exploitation has been observed with FortiCloud SSO, the issue is applicable to all SAML SSO implementations.
Broader Implications
This incident underscores the evolving nature of cyber threats and the importance of continuous vigilance, even after applying patches. Organizations are advised to:
– Regularly Review Security Configurations: Ensure that all security settings are configured according to best practices.
– Monitor for Unusual Activity: Implement monitoring to detect unauthorized access attempts or configuration changes.
– Stay Informed: Keep abreast of the latest security advisories from vendors and cybersecurity organizations.
By taking these proactive steps, organizations can enhance their security posture and mitigate the risks associated with such vulnerabilities.
