Fortinet is actively addressing a critical FortiCloud SSO authentication bypass vulnerability after new reports surface detailing exploitation attempts on fully patched network firewalls. This ongoing security concern highlights a concerning new attack vector affecting the company’s widely used FortiGate appliances, prompting urgent advisories for network administrators worldwide.
The network security vendor confirmed Wednesday that it is working on a comprehensive fix for the issue, which has been observed in recent days. According to Fortinet’s Chief Information Security Officer (CISO) Carl Windsor, recent incidents involved attacks on devices running the latest software releases, indicating a bypass of previously implemented security measures.
Fortinet Addresses Evolving FortiCloud SSO Bypass Vulnerability
The security flaw specifically targets the FortiCloud Single Sign-On (SSO) feature. It allows unauthenticated attackers to bypass login authentication through specially crafted SAML (Security Assertion Markup Language) messages, provided the FortiCloud SSO feature is enabled on affected FortiGate devices. These vulnerabilities, identified as CVE-2025-59718 and CVE-2025-59719, were initially patched by Fortinet last month.
However, renewed exploitation activity emerged earlier this week. These recent incidents involve malicious SSO logins being successfully executed against administrative accounts on devices that had already been updated to address the twin vulnerabilities. This renewed activity mirrors patterns observed in December, shortly after the initial disclosure of the CVEs.
The observed exploitation tactics involve attackers creating generic accounts for persistent access, subsequently altering configurations to grant VPN access to these rogue accounts. Furthermore, threat actors have been seen exfiltrating firewall configurations to remote IP addresses. Notably, identified login attempts have utilized account names such as “[email protected]” and “[email protected],” suggesting a sophisticated and potentially organized campaign.
Mitigation Strategies and Broader Implications
In response to this evolving threat, Fortinet is urging customers to implement immediate mitigation steps. These recommendations include restricting administrative access to edge network devices from the internet by applying a local-in policy. Additionally, administrators are advised to disable FortiCloud SSO logins by deactivating the “admin-forticloud-sso-login” setting.
Fortinet emphasized that while current observed exploitation exclusively targets FortiCloud SSO, the underlying vulnerability is applicable to all SAML SSO implementations. This broader scope means that other systems utilizing SAML for authentication could potentially be at risk if not adequately secured or updated.
The ongoing situation underscores the dynamic nature of cybersecurity threats and the persistent efforts by malicious actors to find and exploit vulnerabilities, even in patched systems. Network security professionals are closely monitoring developments as Fortinet works towards a definitive solution. The immediate focus remains on customer adoption of the recommended mitigations to prevent further unauthorized access and protect sensitive network configurations. The company has not yet provided a specific timeline for the release of the complete patch but is prioritizing the resolution of this critical security bypass.