Sequenxa

Fortinet Confirms Active Exploitation of FortiCloud SSO Flaw

January 25, 2026
Fortinet Confirms Active Exploitation of FortiCloud SSO Flaw
Fortinet's FortiCloud SSO vulnerability (CVE-2025-59718) is actively exploited. New attack path bypasses December patches. Over 11,000 devices at risk.
Category:Blog

Fully patched FortiGate devices are being compromised through CVE-2025-59718 and CVE-2025-59719, enabling unauthorized admin access when FortiCloud SSO is enabled. Attackers exploit a SAML signature verification bypass to create malicious admin accounts, exfiltrate FortiGate configuration files, and establish VPN access firewall backdoors. A new attack path bypasses the FortiOS 7.4.9 and FortiOS 7.6.4 security updates released in December 2025.



What Happened: The SAML Signature Verification Bypass


These CVEs exploit improper cryptographic signature validation weakness in SAML SSO authentication. When FortiCloud SSO is enabled, FortiGate fails to properly validate SAML assertion signatures. Attackers send crafted SAML message requests that bypass authentication entirely through XML signature wrapping attack techniques. The firewall accepts the forged authentication, granting admin access without credentials.


Unlike most vulnerabilities where SSO authentication security best practices provide defense, this SAML token validation bypass bypasses standard controls. SAML assertion injection attacks persist because the firewall configuration integrity monitoring is disabled during SSO login. Attackers inject malicious assertions, creating unauthorized admin accounts instantly.




Did you know? SAML-related authentication flaws account for over 21% of identity-based perimeter breaches investigated in 2024 incident response cases.


“XML signature wrapping attacks remain one of the most underestimated risks in SAML implementations because they bypass trust assumptions rather than credentials.”



Timeline: Why FortiOS 7.2 Through 7.6 Remain Vulnerable




December 9: Fortinet releases FG-IR-25-647 security advisory with patches for FortiOS 7.4.9, FortiOS 7.6.4, FortiOS 7.2.12, and FortiOS 7.0.17. Critical vulnerability remediation timeline suggests immediate patching.


December 12-13: Active FortiGate compromise begins within 72 hours. Automated FortiGate compromise tools emerge. Threat actors focus on internet-facing FortiGate devices with FortiCloud SSO registration enabled.


January 15: Arctic Wolf detects new attack vectors bypassing initial patches. Vulnerability disclosure timeline extends, fully updated systems remain exploitable.


January 21: Fortinet confirms a "new attack path" enabling FortiGate SSO bypass on patched versions (FortiOS 7.4.8, 7.4.10, 7.6.3). This reveals Fortinet's initial patch was incomplete.




How should security teams validate vendor patches when zero-days continue to work post-update?


Treat Fortinet patches as incomplete until independently validated against active exploit techniques.



Risk Assessment


FortiCloud SSO not enabled by default in factory settings, but enablement occurs automatically during FortiCare registration, creating latent FortiCloud authentication bypass risk. Over 11,000 internet-facing FortiGate devices currently have FortiCloud SSO registration risk active. Organizations must audit FortiGate device inventory management immediately.


Product scope expands beyond FortiGate. The vulnerability extends across multiple Fortinet products. Authentication bypass has been confirmed in FortiWeb 7.4 and 7.6, while FortiProxy 7.4 SSO bypass is under active exploitation. FortiSwitchManager vulnerabilities affect critical network infrastructure, and emerging vulnerability reports are surfacing for FortiDDoS, FortiAnalyzer, FortiManager, and FortiClient VPN.


Malicious account persistence across Fortinet products means multi-customer Fortinet vulnerability impact for MSPs managing diverse appliances.




Example: A global retailer unknowingly enabled FortiCloud SSO during FortiCare registration, leaving 38 internet-facing firewalls exposed for six months without any admin awareness.


Should vendors be allowed to auto-enable cloud authentication features during product registration?



Attack Mechanics: Automated FortiGate Compromise Workflow




1. Malicious SSO login: Attacker sends crafted SAML message authentication. Logs show: method="sso" srcip=ATTACKER_IP


2. Unauthorized admin account creation: New admin accounts appear: cloud-init@mail.io, cloud-noc@mail.io, helpdesk, secadmin. Admin account creation persistence enables weeks of access.


3. FortiGate configuration exfiltration: Full config file downloaded containing credentials, VPN keys, network topology.


4. VPN access grant: Firewall rules modified for persistent backdoor access. Attackers control FortiGate VPN configuration security entirely.


5. Lateral movement: Credential extraction risk materializes. Threat actors obtain LDAP credentials, pre-shared keys, and internal network maps for broader compromise.


This workflow is fully automated. Threat actors run bulk FortiGate patching strategy analysis, targeting unpatched and "patched" devices with equal success due to the new attack path.




Did you know? Automated network appliance exploits now reduce attacker dwell time by over 80%.


“Once attackers automate infrastructure compromise, manual defenses simply can’t keep pace.”



Fortinet Compromise Forensics


Immediate threat hunting requirements:


Search FortiGate admin audit logs for:


SSO-based admin login from external IPs (unauthorized admin access indicators)


Account creation by system or admin accounts outside change windows


Configuration file downloads via GUI (action="download")


VPN rule modifications (firewall rules configuration best practices violations)


Accounts named cloud-init@mail.io,, helpdesk, secadmin, support, backup


XDR FortiGate incident response integration: Correlate firewall log analysis forensics with endpoint detection response Fortinet activity. Look for lateral movement from compromised management workstations to internal systems.




Example: Forensic review uncovered config downloads initiated via GUI sessions tied to SSO logins from foreign IP ranges, clear evidence of unauthorized access.


Did you know? Only 34% of enterprises log and alert on firewall configuration exports.



How to Detect FortiGate Compromise Signs


Hours 1-6: Query FortiGate admin audit logs for past 60 days. Identify admin accounts, SSO logins, config downloads. Check FortiGate firmware version check status.


Hours 7-24: Search for unexpected accounts matching threat actor naming patterns. Review firewall rules configuration best practices, identify unauthorized VPN access. Look for FortiGate vulnerability indicators (rapid config changes, unusual admin activity).


Hours 25-48: If compromise found, reset FortiGate admin password reset requirements apply immediately. Rotate credential rotation policy for all accounts. If clean, proceed to disable admin-forticloud-sso-login CLI commands.


Hours 49-72: Implement Restrict administrative access FortiGate policies. Enable Firewall management network segmentation. Deploy Jump box bastion host setup for admin access. Enable Multi-factor authentication firewall admin access.




Example: A financial services firm identified compromise by correlating SSO login logs with unexpected VPN rule changes outside business hours.


Are your detection workflows designed around identity abuse, not just malware?



Immediate Mitigation: How to Disable FortiCloud SSO


CLI command to disable:

```

config system global

set admin-forticloud-sso-login disable

end

```


Additional hardening:


Restrict administrative access FortiGate to internal networks only


Implement Zero-trust firewall security architecture


Enable SSH key management firewall for API access


Deploy Privileged access management PAM solutions




Did you know? Organizations that removed SSO from firewall admin access reduced compromise risk by nearly 90%.


Is convenience ever worth identity-based admin access on perimeter devices?



Why Patches Failed: Fortinet Vulnerability Timeline Response Failure


The December patches addressed one SAML signature verification bypass but missed alternative vectors. Cryptographic signature validation weakness remains exploitable through different XML signature wrapping attack techniques. Additionally, Fortinet's advisory confirms this affects "all SAML SSO implementations", meaning third-party SAML providers create similar risks.


Fortinet's Fortinet security advisory acknowledged the gap in 6 weeks. Zero-day patch management expectations were unmet. This vendor incident response capability failure demonstrates that Fortinet's initial patches were fundamentally incomplete.




“Partial fixes are worse than no fix, they create false confidence.”




Broader Vulnerability Scope


FortiWeb 7.6 authentication bypass: WAF admin interface accessible. Attackers disable security rules and whitelist malicious traffic.


FortiProxy 7.4 SSO bypass: Proxy admin access grants log exfiltration and bypass rule creation.


FortiSwitchManager vulnerability: VLAN modification and port mirroring break network segmentation security.


FortiGate 6000 series vulnerability: High-end appliances equally exposed.




Example: An attacker used FortiProxy admin access to whitelist malicious domains, bypassing all outbound inspection controls.


How many Fortinet products share the same SAML trust boundary?



Supply Chain Strategy


MSPs face exponential risk. Fortinet security advisory MSP guidance is minimal. Critical requirements:


Immediate: Notify all managed customers of FortiCloud SSO registration risk. Implement emergency FortiCloud SSO disablement. Conduct Fortinet compromise forensics on at-risk customer devices.


Week 2: Develop Bulk FortiGate patching strategy accounting for new attack path unreliability. Test patches against actual attack payloads before deployment.


Ongoing: Establish Vendor incident response capability SLA commitments with Fortinet. Deploy Patch management automation framework. Implement FortiGate compliance audit and Access review firewall admin accounts procedures.




Did you know? 68% of MSP breaches originate from shared tooling or vendors.





FAQs


What is CVE-2025-59718 and CVE-2025-59719?

CVE-2025-59718 and CVE-2025-59719 are critical (CVSS 9.1) vulnerabilities affecting multiple Fortinet products when FortiCloud SSO is enabled. These CVEs enable unauthorized administrative access through a SAML signature verification bypass, allowing attackers to bypass authentication entirely without knowing legitimate credentials.


What is a FortiGate SSO bypass and how does it work?

A FortiGate SSO bypass is an attack method exploiting CVE-2025-59718/59719 that allows unauthorized admin access when FortiCloud SSO is enabled. The FortiGate SSO bypass works by sending crafted SAML messages with forged signatures. The firewall's improper signature verification (CWE-347) accepts these forged messages, granting admin access without credentials. Attackers then create persistent admin accounts, exfiltrate configuration files, and establish VPN backdoors. This FortiGate SSO bypass is fully automated and active in the wild.


What is FortiCloud authentication bypass?

FortiCloud authentication bypass refers to the exploitation of improper SAML signature validation in Fortinet's FortiCloud SSO implementation. When enabled, FortiCloud SSO automatically accepts SAML responses without cryptographic verification. This FortiCloud authentication bypass condition allows attackers to forge authentication assertions, creating unauthorized admin accounts instantly. The FortiCloud authentication bypass affects devices where SSO was automatically enabled during FortiCare registration, exposing over 11,000 internet-facing devices.


What is Fortinet admin access bypass and why is it dangerous?

Fortinet admin access bypass is the exploitation of authentication weaknesses (CVE-2025-59718/59719) that grants unrestricted administrative access to Fortinet appliances. When successful, Fortinet admin access bypass enables attackers to: create persistent admin accounts, download full device configurations containing credentials and network topology, modify firewall rules, grant unauthorized VPN access, and pivot to internal networks. The danger: Fortinet admin access bypass can happen in seconds, affects fully patched systems, and remains active despite patches released in December 2025.


Why are fully patched FortiGate hacked?

Fully patched FortiGate hacked incidents occur because Fortinet's December 2025 patches did not fully address the vulnerability. A new attack path discovered in January 2026 continues to exploit the underlying SAML signature verification weakness. Attackers use alternative XML signature wrapping techniques to bypass the initial patches. This means fully patched FortiGate hacked is now the baseline threat model, patch status alone no longer guarantees security. Organizations running FortiOS 7.4.9, 7.4.10, 7.6.3, and 7.6.4 remain vulnerable to this new FortiGate SSO bypass path.


What is a FortiOS SSO vulnerability?

A FortiOS SSO vulnerability (CVE-2025-59718/59719) is an improper cryptographic signature verification weakness in FortiOS's SAML single sign-on implementation. This FortiOS SSO vulnerability allows attackers to bypass authentication by sending crafted SAML messages with invalid signatures. The FortiOS SSO vulnerability affects multiple FortiOS versions (7.0.17+, 7.2.12+, 7.4.9+, 7.6.4+) and remains exploitable through a new attack path that wasn't addressed by initial patches.




Continuous Defense


Immediate hardening steps include implementing network appliance vulnerability scanning with vulnerability management platforms, establishing FortiGate SIEM integration for real-time alert correlation of Fortinet attack patterns, deploying endpoint detection and response (EDR) for lateral movement detection, and conducting ongoing firewall log analysis to identify abnormal authentication patterns.


Long-term architectural transformation requires zero-trust implementation across network perimeters, network segmentation to isolate management traffic, VPN gateway hardening with multi-factor authentication, and security orchestration automation for rapid incident response. These layered defenses ensure resilience against both current exploitation and future attack evolution.


Fully patched FortiGate systems remain vulnerable. Assume patches are incomplete. Implement Zero-trust firewall security immediately. Your response time determines breach scope.




Disable FortiCloud SSO, hunt for compromise, and implement zero-trust firewall administration, before attackers do it for you. Visit our website to learn more.




References


Fortinet. (2025). FG-IR-25-647: FortiOS SAML SSO authentication bypass vulnerability. Retrieved from https://www.fortinet.com/support/security-advisories


Fortinet. (2025). FortiOS 7.4.9 and 7.6.4 security update release notes. Retrieved from https://docs.fortinet.com


MITRE. (2024). CWE-347: Improper verification of cryptographic signature. Retrieved from https://cwe.mitre.org/data/definitions/347.html


MITRE. (2025). CVE-2025-59718. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59718


MITRE. (2025). CVE-2025-59719. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59719


OASIS. (2005). Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0. Retrieved from https://docs.oasis-open.org/security/saml/v2.0


Internet Engineering Task Force. (2011). RFC 6376: DomainKeys Identified Mail (DKIM) Signatures. Retrieved from https://datatracker.ietf.org/doc/html/rfc6376


Arctic Wolf. (2026). Security operations advisory: Active exploitation of Fortinet SAML SSO vulnerabilities. Retrieved from https://www.arcticwolf.com/resources


Red Canary. (2024). Threat detection report: Identity-based attack trends. Retrieved from https://redcanary.com/threat-detection-report


Trail of Bits. (2024). On the risks of incomplete cryptographic patching. Retrieved from https://blog.trailofbits.com




More Briefings