Fortinet has confirmed ongoing exploitation of a FortiCloud single sign-on (SSO) authentication bypass affecting fully patched FortiGate firewalls. The issue follows reports of attackers successfully bypassing existing security patches on updated devices.
Fortinet CISO Carl Windsor noted that, in the past 24 hours, several attacks targeted devices that had already been upgraded to the latest firmware, indicating the emergence of a new attack vector.
The bypass relates to previously disclosed vulnerabilities CVE-2025-59718 and CVE-2025-59719, which were patched last month. These flaws allow unauthenticated attackers to bypass SSO login authentication using specially crafted SAML messages when FortiCloud SSO is enabled. Despite the applied patches, attackers have reportedly executed malicious SSO logins on admin accounts, echoing incidents observed shortly after the vulnerabilities were first disclosed in December 2025.
Observed Threat Behavior
Threat actors have been creating generic accounts for persistence, granting VPN access, and exfiltrating firewall configurations to external IP addresses. The accounts involved in these incidents have included usernames such as cloud-noc@mail.io and cloud-init@mail.io.
Fortinet is urging administrators to adopt the following mitigation measures immediately:
- Restrict administrative access to edge devices from the internet using a local-in policy.
- Disable FortiCloud SSO logins by turning off the
admin-forticloud-sso-login option.
The company also emphasized that while current exploitation has targeted FortiCloud SSO, the underlying issue could affect all SAML-based SSO implementations if similar conditions exist.
Implications for Organizations
This incident highlights the evolving tactics of attackers who can circumvent patched systems and gain administrative access, potentially compromising firewall configurations, VPN access, and network security posture. Organizations using FortiCloud SSO are urged to monitor for suspicious login activity and implement access restrictions until a permanent fix is deployed.
