Fortinet has confirmed it is working on a complete fix for a FortiGate authentication issue tied to FortiCloud SSO, after detecting new exploitation attempts — including cases where devices were already running the latest available firmware at the time of attack.
Fortinet’s Chief Information Security Officer (CISO), Carl Windsor, stated that the company identified multiple incidents in the past 24 hours involving fully upgraded firewalls, pointing to what appears to be a new exploitation path that bypasses previous protections.
What the vulnerability is about
The suspicious activity appears linked to earlier Fortinet vulnerabilities tracked as:
- CVE-2025-59718
- CVE-2025-59719
These issues involved FortiGate appliances using FortiCloud SSO, where attackers could potentially bypass SSO authentication using manipulated SAML messages — especially if the FortiCloud SSO function is enabled.
Fortinet had already released patches last month to address these two vulnerabilities. However, the latest findings suggest attackers may have discovered a method to get around those patches.
Exploitation spotted again — even on patched systems
Earlier this week, reports surfaced showing attackers successfully performing malicious SSO logins on FortiGate systems that had already been patched against the CVEs.
The behavior closely resembles exploitation activity seen in December shortly after the vulnerabilities were publicly disclosed. The attackers reportedly targeted the admin account using SSO-based authentication tricks.
What attackers are doing after access
In incidents observed so far, the threat actor’s post-compromise activity includes:
- creating new generic accounts to maintain persistence
- adjusting firewall configuration to give those accounts VPN access
- stealing and exporting FortiGate configuration files
- sending the data out to external IP addresses
Fortinet also noted that attackers have been seen using accounts with names such as:
Fortinet’s recommended mitigations
Until a permanent fix is delivered, Fortinet is urging administrators to take immediate action to reduce exposure:
✅ 1) Lock down admin access from the internet
Apply a local-in policy so that administrative access to edge devices is not openly reachable from public networks.
✅ 2) Disable FortiCloud SSO login access
Fortinet specifically advised disabling FortiCloud SSO admin logins using:
- Disable:
admin-forticloud-sso-login
Bigger warning: this may affect more than FortiCloud SSO
Although the active exploitation currently involves FortiCloud SSO, Fortinet cautioned that the risk extends beyond one implementation.
Because the underlying technique relies on SAML SSO, the concern may apply to other SAML-based SSO setups as well — meaning organizations should treat this as a broader identity and access threat, not just a FortiGate-specific issue.