Fortinet has acknowledged active exploitation targeting a FortiCloud SSO authentication bypass vulnerability, even on firewalls that have received the latest patches. The security vendor is currently working to implement a permanent fix.
Fortinet’s Chief Information Security Officer, Carl Windsor, stated in a post on Thursday, “Over the past 24 hours, we have observed multiple incidents where the exploit targeted devices that had been fully updated to the latest release, indicating a new attack vector.”
The vulnerability affects the patches applied to address CVE-2025-59718 and CVE-2025-59719, which could allow attackers to bypass SSO login authentication using specially crafted SAML messages, provided the FortiCloud SSO feature is enabled. Fortinet initially patched these issues last month.
Earlier this week, reports revealed renewed attacks where malicious SSO logins were recorded on FortiGate appliances, targeting admin accounts on devices already patched against the two vulnerabilities. This activity mirrors incidents seen in December following the initial disclosure of CVE-2025-59718 and CVE-2025-59719.
Attackers have been creating generic accounts to maintain persistence, adjusting configurations to grant VPN access, and exfiltrating firewall settings to external IP addresses. Known accounts used in these attacks include cloud-noc@mail.io and cloud-init@mail.io.
Fortinet recommends the following mitigation steps:
• Limit administrative access to edge network devices from the internet by applying a local-in policy
• Disable FortiCloud SSO logins by turning off admin-forticloud-sso-login
The company added, “While only FortiCloud SSO exploitation has been observed so far, this vulnerability could potentially impact all SAML SSO implementations.”
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
