Key Takeaways:
- Recent attacks are bypassing FortiCloud single sign-on (SSO) login authentication on devices fully patched against recent vulnerabilities.
- Hackers are leveraging automation to make configuration changes to FortiGate firewalls, adding new user accounts, enabling VPN access, and exfiltrating device configuration files.
- The attacks resemble previous campaigns targeting critical-severity defects in FortiOS, FortiWeb, FortiProxy, and FortiSwitch Manager devices.
- Fortinet has confirmed that the attacks are successful even against devices that had been patched against previous vulnerabilities.
- The company is working on a fix, but has shared indicators of compromise (IOCs) and recommended workarounds to help customers protect themselves.
Introduction to the Attack
Fortinet has confirmed that recent attacks are bypassing FortiCloud single sign-on (SSO) login authentication on devices that have been fully patched against recent vulnerabilities. This is a significant concern, as it suggests that the attackers have found a new way to exploit the system, even after previous vulnerabilities have been patched. The attacks are leveraging automation to make configuration changes to FortiGate firewalls, adding new user accounts, enabling VPN access, and exfiltrating device configuration files. This is a serious issue, as it allows the attackers to gain unauthorized access to the network and potentially steal sensitive data.
Similarities to Previous Attacks
The fresh campaign resembles December 2025 attacks targeting CVE-2025-59718 and CVE-2025-59719, two critical-severity defects impacting the FortiCloud SSO login feature of FortiOS, FortiWeb, FortiProxy, and FortiSwitch Manager devices. In those attacks, crafted SAML response messages could be used to bypass authentication on instances that have the FortiCloud SSO login feature enabled. Fortinet released fixes for the two flaws in early December, but it appears that the attackers have found a new way to exploit the system. The fact that the attacks are similar to previous ones suggests that the attackers are using a similar methodology, but have found a new vulnerability to exploit.
Confirmation of the Attacks
On Thursday, Fortinet confirmed previous fears that the attacks were successful even against devices that had been patched against CVE-2025-59718 and CVE-2025-59719. The company stated that it had identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path. This is a significant concern, as it suggests that the attackers have found a way to bypass the patches that were previously released. Fortinet also noted that while only exploitation of FortiCloud SSO has been observed, this issue is applicable to all SAML SSO implementations.
Response to the Attacks
Fortinet is working on a fix for the issue, but could not share details on its availability. In the meantime, the company has shared indicators of compromise (IOCs) to help customers hunt for malicious activity on their devices. Organizations are advised to block administrative access to edge devices from the internet and restrict it to local IP addresses. Additionally, Fortinet recommends disabling the FortiCloud SSO feature as an additional workaround, but notes that this will prevent abuse via that method but not a third-party SSO system. This suggests that the company is taking a cautious approach to addressing the issue, and is working to ensure that customers are protected until a fix is available.
Recommendations for Customers
To protect themselves from these attacks, customers are advised to take several steps. First, they should block administrative access to edge devices from the internet and restrict it to local IP addresses. This will help to prevent attackers from gaining access to the devices remotely. Additionally, customers should consider disabling the FortiCloud SSO feature, at least until a fix is available. This will prevent abuse via that method, but it is important to note that it will not prevent abuse via a third-party SSO system. Customers should also be on the lookout for indicators of compromise (IOCs) that have been shared by Fortinet, and should take immediate action if they suspect that their devices have been compromised.
Conclusion
In conclusion, the recent attacks on FortiCloud single sign-on (SSO) login authentication are a significant concern, as they suggest that the attackers have found a new way to exploit the system, even after previous vulnerabilities have been patched. Fortinet has confirmed that the attacks are successful even against devices that had been patched against previous vulnerabilities, and is working on a fix. In the meantime, customers should take steps to protect themselves, including blocking administrative access to edge devices from the internet, restricting access to local IP addresses, and disabling the FortiCloud SSO feature. By taking these steps, customers can help to prevent unauthorized access to their networks and protect themselves from these attacks.