Key Takeaways
- Fortinet has confirmed the active exploitation of a FortiCloud SSO authentication bypass vulnerability, which affects FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.
- The vulnerability allows unauthenticated attackers to bypass SSO authentication using crafted SAML messages, enabling admin access without credentials.
- Cybersecurity firm Arctic Wolf has observed a new automated campaign targeting even fully patched FortiGate devices, with incidents occurring seconds apart.
- The attacks involve rapid configuration exfiltration and persistence via generic admin accounts, and have been reported on updated firmware such as 7.4.10.
- Fortinet urges users to disable FortiCloud SSO and implement local-in policies to restrict admin access, and to treat compromised devices as fully owned.
Introduction to the Vulnerability
The FortiCloud SSO authentication bypass vulnerability is a critical issue that has been confirmed by Fortinet, with active exploitation reported in the wild. This vulnerability affects various Fortinet products, including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, and allows unauthenticated attackers to bypass SSO authentication using crafted SAML messages. As a result, attackers can gain admin access to the system without credentials, which can lead to further exploitation and compromise. In December 2025, Fortinet disclosed two critical vulnerabilities, CVE-2025-59718 and CVE-2025-59719, which enable this type of attack.
Affected Versions and Solutions
The FortiCloud SSO authentication bypass vulnerability affects various versions of Fortinet products, including FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, and FortiOS 7.2.0 through 7.2.11, among others. Fortinet has issued patches for these vulnerabilities, and users are advised to upgrade to the latest firmware to mitigate the issue. However, reports have confirmed that the vulnerability is still being exploited on updated firmware, such as 7.4.9 and 7.4.10, which suggests that the issue may be more complex than initially thought. The affected versions and solutions are outlined in Fortinet’s PSIRT advisory, which provides detailed information on the vulnerable versions and the necessary fixes.
Attack Campaign Details
The attack campaign targeting FortiGate devices has been observed by cybersecurity firm Arctic Wolf, which has reported that the attacks are highly automated and involve rapid configuration exfiltration and persistence via generic admin accounts. The attacks occur seconds apart, targeting internet-exposed devices, and have been reported on over 25,000 devices that had SSO enabled. The attackers use malicious SSO logins, such as "[email protected]", to gain access to the system, and then exfiltrate configurations via the GUI for offline credential cracking. Additionally, the attackers create persistence accounts that grant VPN access, allowing them to maintain a foothold in the system. The IOCs (Indicators of Compromise) for this attack campaign include specific user accounts, IP addresses, and persistence accounts, which can be used to detect and respond to the attack.
Mitigation and Remediation
To mitigate the FortiCloud SSO authentication bypass vulnerability, Fortinet urges users to disable FortiCloud SSO and implement local-in policies to restrict admin access. This can be done by running a series of commands, including "config system global" and "set admin-forticloud-sso-login disable". Additionally, users should treat compromised devices as fully owned, which involves upgrading to the latest firmware, restoring clean configurations, rotating all credentials, including LDAP/AD, and auditing VPN settings. By taking these steps, users can reduce the risk of exploitation and prevent further compromise. It is also recommended to search logs for SSO successes from specific IPs and users, and to monitor for "Add system.admin" events, which can indicate a potential attack.
Conclusion and Recommendations
The FortiCloud SSO authentication bypass vulnerability is a serious issue that requires immediate attention from Fortinet users. The active exploitation of this vulnerability, combined with the automated nature of the attack campaign, makes it a significant threat to the security of FortiGate devices. To mitigate this vulnerability, users should disable FortiCloud SSO, implement local-in policies, and treat compromised devices as fully owned. By taking these steps, users can reduce the risk of exploitation and prevent further compromise. It is also important to stay informed about the latest developments and updates on this vulnerability, and to follow best practices for security and risk management.
