Full Report
Fortinet has officially confirmed that it's working to completely plug a FortiCloud SSO authentication bypass vulnerability following reports of fresh exploitation activity on fully-patched firewalls. "In the last 24 hours, we have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new
Analysis Summary
# Vulnerability: FortiCloud SSO Authentication Bypass on Patched Devices
## CVE Details
- CVE ID: **Multiple related CVEs** (Specifically notes exploitation bypassing fixes for CVE-2025-59718 and CVE-2025-59719)
- CVSS Score: **Not explicitly provided** for the *new* path in the article, but the original issues (CVE-2025-59718/59719) required external scoring.
- CWE: N/A (Authentication Bypass related to SAML)
## Affected Systems
- Products: FortiGate Firewalls running FortiOS with FortiCloud SSO enabled.
- Versions: Devices that were previously patched for CVE-2025-59718 and CVE-2025-59719, but are now being successfully exploited via a "new attack path."
- Configurations: Any device utilizing SAML SSO implementations, particularly FortiCloud SSO, where the feature is enabled.
## Vulnerability Description
A new authentication bypass mechanism has been identified that targets FortiGate firewalls, allowing threat actors to bypass security controls previously implemented via patches for CVE-2025-59718 and CVE-2025-59719. This latest activity leverages crafted SAML messages to achieve unauthenticated access when FortiCloud SSO is enabled. The vulnerability appears to be applicable to all SAML SSO implementations on the affected devices, not just the FortiCloud specific configuration.
## Exploitation
- Status: **Exploited in the wild** (Fresh exploitation activity reported on fully upgraded/patched devices).
- Complexity: (Inferred to be **Low** or **Medium** due to successful automated attacks observed in previous incidents, though the complexity of the *new* path is unstated).
- Attack Vector: Network (Remote exploitation against the administrative interface).
## Impact
- Confidentiality: **High** (Threat actors created generic accounts, granted them VPN access, and exfiltrated firewall configurations).
- Integrity: **High** (Observed creation of persistence accounts and configuration changes).
- Availability: **Medium** (Potential impact from unauthorized configuration manipulation).
## Remediation
### Patches
- Fortinet is currently **working to completely plug** the new attack path. Specific new patch versions are not detailed in this summary, but users must ensure they have the absolute latest FortiOS releases available addressing this *re-emerged/new* vulnerability.
### Workarounds
1. **Restrict administrative access of edge network device via the internet by applying a local-in policy.** (This limits external attacker paths to management interfaces).
2. **Disable FortiCloud SSO logins by disabling "admin-forticloud-sso-login".** (This is a direct mitigation against the observed exploitation vector).
## Detection
- **Indicators of Compromise (IoCs):** Observation of login activity using generic persistence accounts such as "[email protected]" and "[email protected]" logging into the admin account.
- **Detection Methods and Tools:** Monitoring SSO authentication logs for anomalies, specifically attempts utilizing crafted SAML messages, and monitoring for subsequent configuration changes (e.g., new VPN accounts being created).
## References
- Vendor advisory from Fortinet CISO Carl Windsor: hxxps://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios
- Previous related CVE disclosure: hxxps://thehackernews.com/2025/12/fortinet-ivanti-and-sap-issue-urgent.html