Fortinet has officially confirmed that it is working to fully resolve the FortiCloud SSO authentication bypass vulnerability following reports of new exploit activity on fully patched firewalls.
“Over the past 24 hours, we have identified a number of cases in which devices were fully upgraded to the latest release at the time of the attack, suggesting a new attack vector,” Carl Windsor, Fortinet’s chief information security officer, said in a post Thursday.
This activity essentially mounts a bypass of the patches introduced by network security vendors to address CVE-2025-59718 and CVE-2025-59719. This could allow unauthenticated bypass of SSO login authentication via a crafted SAML message if the FortiCloud SSO feature is enabled on the affected device. This issue was originally resolved by Fortinet last month.
However, earlier this week, reports emerged of new activity in which malicious SSO logins on FortiGate appliances were logged to administrator accounts on devices that had been patched for these two vulnerabilities. This activity is similar to incidents observed in December, shortly after the publication of CVE-2025-59718 and CVE-2025-59719.
This activity includes creating general-purpose accounts for persistence, making configuration changes to allow VPN access to those accounts, and leaking firewall configurations to different IP addresses. The attacker has been observed logging in with accounts named ‘cloud-noc@mail.io’ and ‘cloud-init@mail.io’.
As a mitigation measure, the company is asking you to take the following steps:
Apply local-in policies to restrict management access to edge network devices over the Internet. Disable FortiCloud SSO login by disabling ‘admin-forticloud-sso-login’.
“It is important to note that while we have only seen FortiCloud SSO abuse at this time, this issue applies to all SAML SSO implementations,” Fortinet said.
Source link
