Fortinet has acknowledged active exploitation of a FortiCloud Single Sign-On (SSO) authentication bypass affecting FortiGate firewalls, including devices that were fully updated with the latest security patches at the time of compromise.
The company confirmed the issue after detecting suspicious login activity on patched systems, indicating attackers may have discovered a previously unknown attack method that circumvents earlier fixes.
Exploitation Detected on Fully Patched Firewalls
According to Fortinet Chief Information Security Officer Carl Windsor, investigations over the past 24 hours revealed multiple cases where attackers successfully gained access to FortiGate appliances that had already received all available updates.
This behavior suggests the threat actors are exploiting a new bypass technique that evades the original protections implemented to address two SAML-based authentication flaws disclosed in late 2025.
Those vulnerabilities, tracked as CVE-2025-59718 and CVE-2025-59719, allowed unauthenticated attackers to bypass SSO authentication through specially crafted SAML requests when FortiCloud SSO was enabled.
Attacker Activity and Observed Behavior
Recent incidents show patterns similar to earlier attacks observed shortly after the initial disclosure of the vulnerabilities. In the newly reported cases, attackers:
- Logged in through FortiCloud SSO using administrator-level access
- Created generic user accounts to maintain persistence
- Modified firewall configurations to enable VPN access
- Exfiltrated device configuration files to external IP addresses
Fortinet noted that attacker-controlled accounts using email-style usernames such as cloud-noc@mail.io and cloud-init@mail.io were observed during the intrusions.
Scope Extends Beyond FortiCloud SSO
While the current exploitation has only been confirmed against FortiCloud SSO, Fortinet warned that the underlying issue may impact all SAML-based SSO implementations, not just FortiCloud-integrated environments.
This raises broader concerns for organizations relying on SAML authentication for administrative access to network infrastructure.
Recommended Mitigations
Until a comprehensive fix is released, Fortinet urges customers to take immediate defensive action, including:
- Restricting administrative access to edge devices by applying strict local-in policies
- Disabling FortiCloud SSO login by turning off the
admin-forticloud-sso-login setting
- Reviewing admin account activity and auditing configuration changes
- Monitoring for unauthorized VPN access or configuration exports
Fortinet stated it is actively working on a permanent solution to fully close the newly identified attack path.
Ongoing Risk for Network Defenders
The incident highlights a recurring challenge for defenders: patching alone may not be sufficient when authentication mechanisms themselves become targets for advanced bypass techniques. Security teams are advised to combine patch management with access hardening, continuous monitoring, and strict identity controls for network infrastructure.
