Fortinet Confirms Exploitation of FortiCloud SSO Authentication Bypass Vulnerability on Patched Devices

Fortinet has confirmed that it is working to fully fix a FortiCloud SSO authentication bypass vulnerability, following reports of new exploit activity on firewalls that had already been fully patched.

Discovery of New Attack Route

Carl Windsor, CISO of Fortinet, reported that cases of exploitation have been identified on devices that were updated to the latest version available at the time of the attack. This suggests a new attack path that bypasses previously deployed patches to address CVE-2025-59718 and CVE-2025-59719.

The original vulnerabilities (CVE-2025-59718 and CVE-2025-59719) allowed unauthenticated single sign-on (SSO) authentication bypass via crafted SAML messages, as long as the FortiCloud SSO feature was enabled on the affected devices. These issues were initially addressed last month.

Threat Actor Behavior

Recent reports of malicious activity show fraudulent SSO logins against the administrator account on FortiGate devices that had received the patches. This activity is similar to incidents observed in December, shortly after the initial disclosure of the vulnerabilities.

The threat actor has been observed performing the following actions:

• Creation of generic accounts to achieve persistence.
• Modifying settings to grant VPN access to these accounts.
• Exfiltration of firewall configurations to different IP addresses.

Logins have been detected with generic accounts such as “cloud-noc@mail.io” and “cloud-init@mail.io”.

Mitigations Recommended by Fortinet

To protect against this new exploitation activity, Fortinet urgently recommends network administrators implement the following actions:

1. Restrict administrative access: Apply a local-in policy to restrict administrative access to perimeter network devices over the Internet.
2. Disable FortiCloud SSO: Disable the admin-forticloud-sso-login setting.

Wider Impact

Fortinet emphasizes that although only FortiCloud SSO exploitation has been observed so far, this issue is applicable to all SAML SSO implementations.

Confidence

What would we do in these cases?

Cybersecurity Compliance | ISO 27001, PCI DSS and Audits - Comfidentia

Regulatory compliance services: compliance audits, ISO 27001 certification, PCI DSS, training, digital governance and regulatory compliance. Ensure the trust of your clients and maintain an impeccable reputation.

Clear Documentation and Improved Security

We generate detailed and understandable processes for your organization, eliminating dependence on specific personnel and guaranteeing efficiency. Additionally, with our Comprehensive Security Training, you will learn how to protect your infrastructure and raise awareness among your team about the importance of cybersecurity. Optimize your business and strengthen your digital defenses today!

Expert Audits for a Secure Infrastructure

We offer different audit services, such as exhaustive analysis of all risks and vulnerabilities in your architecture or infrastructure, and prioritization of solutions without affecting your business. Additionally, we identify any configuration changes made, whether authorized or unauthorized. With our Architectural Recognition service, we review every endpoint, service, API and communications element to generate accurate diagrams that will give you a clear view of your critical architecture. And if you need more, we also create topological diagrams of your entire network. Don’t put your business at risk, trust us!

Comply with ISO Standards and Strengthen your Security

We accompany you throughout the entire ISO 27001 certification process, from the initial analysis to post-certification maintenance, ensuring continuous compliance. Comply with international standards and strengthen the security of your organization.

PCI DSS Compliance

If your business processes, stores, or transmits payment card data, we help you comply with PCI DSS standards and maintain certification.

Training and Coaching

We train your team in security and compliance through specialized training programs and practical drills.

Digital Governance

We establish governance frameworks for information security, aligned with your business objectives and compliance requirements. Source: See more at Comfidentia

Other related pages:

• Defensive Cybersecurity
• Engineering As A Service
• Offensive Cybersecurity
• Proactive Cybersecurity

Schedule a presentation with Comfidentia

References

• Vulnerabilities: CVE-2025-59718, CVE-2025-59719