A newly discovered attack path allows threat actors to bypass FortiCloud SSO authentication on FortiGate firewalls that have already been patched against CVE-2025-59718 and CVE-2025-59719, prompting urgent mitigation guidance from Fortinet.
Fortinet has confirmed that threat actors are actively exploiting a new attack path to bypass FortiCloud SSO authentication on FortiGate firewalls that were fully patched against previous vulnerabilities. The company's Chief Information Security Officer, Carl Windsor, stated that in the last 24 hours, they identified multiple cases where the exploit targeted devices upgraded to the latest release at the time of the attack, indicating a novel bypass method.
This activity circumvents the patches Fortinet released last month to address CVE-2025-59718 and CVE-2025-59719. These vulnerabilities, if exploited, could allow unauthenticated bypass of SSO login authentication through crafted SAML messages when the FortiCloud SSO feature is enabled on affected devices. The original patches were intended to close this security gap, but the new exploitation activity demonstrates that the threat actor has found an alternative method to achieve the same outcome.
The exploitation pattern mirrors incidents observed in December, shortly after the initial disclosure of the twin CVEs. The threat actor has been observed creating generic accounts for persistence, modifying firewall configurations to grant VPN access to these accounts, and exfiltrating firewall configurations to external IP addresses. Specific account names used in the attacks include "[email protected]" and "[email protected]."
The Technical Mechanism
While Fortinet has not yet disclosed the exact technical details of the new bypass, the activity suggests a flaw in the SAML validation process or a timing issue in the authentication flow that persists even after patching. SAML-based SSO implementations are complex, involving multiple validation steps between the identity provider (FortiCloud) and the service provider (FortiGate). The attack likely exploits a specific sequence of SAML messages or a validation weakness that wasn't fully addressed in the initial patches.
This situation highlights a common challenge in security patching: addressing one attack vector while inadvertently leaving another open, especially in complex authentication systems like SAML SSO. The threat actor's ability to find this bypass on fully patched systems indicates sophisticated reverse-engineering of the patches and deep understanding of the authentication flow.
Immediate Mitigation Steps
Fortinet is urging administrators to implement the following mitigations immediately:
Restrict administrative access: Apply local-in policies to block administrative access to edge network devices via the internet. This prevents direct exposure of management interfaces.
Disable FortiCloud SSO logins: Disable the "admin-forticloud-sso-login" setting to prevent SSO authentication attempts entirely. This effectively removes the attack surface until a proper patch is available.
Fortinet emphasized that while only FortiCloud SSO exploitation has been observed so far, the underlying issue is applicable to all SAML SSO implementations. This broader implication means other vendors and systems using SAML SSO should review their configurations and validation processes.
Broader Implications for SAML SSO Security
This incident underscores several critical points about SAML SSO security:
Complexity Creates Vulnerabilities: SAML's complexity, with its XML-based message format and multiple validation steps, often leads to implementation flaws. Even well-established vendors like Fortinet can miss edge cases in their validation logic.
Patch Validation Challenges: The fact that a bypass exists on fully patched systems demonstrates the difficulty of thoroughly testing security patches, especially for authentication systems where test cases can be numerous and complex.
Defense in Depth is Essential: Relying solely on patching is insufficient. Organizations must implement multiple layers of security, including network segmentation, access controls, and monitoring.
Recommendations for Security Teams
For FortiGate Administrators:
- Immediately review Fortinet's official security advisory for the latest updates
- Implement the recommended mitigations, prioritizing the disabling of FortiCloud SSO if possible
- Monitor logs for suspicious authentication attempts, especially from unknown IP addresses
- Consider temporarily disabling remote management access entirely
For Organizations Using SAML SSO:
- Review all SAML implementations in your environment
- Ensure proper validation of SAML assertions, including signature verification and audience restriction
- Implement additional authentication factors where possible
- Monitor for anomalous authentication patterns
For Security Operations:
- Update detection rules to identify the specific account names and patterns observed in these attacks
- Review firewall configuration change logs for unauthorized modifications
- Check for unexpected VPN access grants or policy changes
Ongoing Situation
Fortinet is actively working on a complete fix for this vulnerability. The company has not yet provided a timeline for when a permanent patch will be available. In the meantime, the recommended mitigations are the primary defense against exploitation.
This incident serves as a reminder that vulnerability management is an ongoing process. Even after applying patches, organizations must remain vigilant and implement layered security controls. The sophistication of modern threat actors means that single-point fixes are often insufficient against determined adversaries.
Security teams should continue monitoring Fortinet's official channels for updates and be prepared to adjust their mitigation strategies as new information becomes available. The situation also highlights the importance of having incident response plans that include specific procedures for authentication system compromises.
Image: Featured image for the article on Fortinet security vulnerabilities
Image: Related security vulnerability content
Image: Additional security threat information
Image: Security monitoring and response
Image: Security tools and resources
Related Resources:
- Fortinet Security Advisory - Official vulnerability announcements and patches
- FortiGate Documentation - Configuration guides and best practices
- SAML 2.0 Specification - Technical reference for SAML implementations
- NIST SP 800-63C - Digital Identity Guidelines for federation
This developing situation demonstrates the evolving nature of cybersecurity threats and the need for continuous monitoring and adaptation of security controls. Organizations using FortiGate devices should treat this as an active threat and implement the recommended mitigations immediately while awaiting a permanent fix from Fortinet.
Comments
Please log in or register to join the discussion