Fortinet Confirms Critical FortiCloud SSO Bypass Still Actively Exploited Despite Patch

Fortinet has confirmed that a critical authentication bypass vulnerability in its FortiCloud Single Sign-On (SSO) feature remains actively exploited, even on systems that have applied the initial December patch. The company is now developing a new fix after a wave of customer reports revealed that attackers were successfully compromising fully patched FortiGate firewalls.

The vulnerability, tracked as CVE-2025-59718, was originally disclosed and patched in early December 2025. However, beginning January 15, 2026, security firm Arctic Wolf observed a new wave of automated attacks targeting Fortinet customers. Attackers were creating admin accounts with VPN access and stealing firewall configurations within seconds, despite the systems being fully updated.

The Attack Pattern

According to Arctic Wolf's analysis, the attacks follow a consistent pattern. Threat actors create accounts using VPN access and immediately exfiltrate firewall configurations. Logs shared by affected customers show that attackers created admin users after an SSO login from [email protected] originating from IP address 104.28.244.114. These indicators of compromise match those detected by Arctic Wolf during their analysis of ongoing FortiGate attacks and December's initial exploitation wave.

Fortinet Chief Information Security Officer Carl Windsor confirmed the reports on Thursday, stating that the recent attacks "match December's malicious activity" and that the company has identified a new attack path. "Recently, a small number of customers reported unexpected login activity occurring on their devices, which appeared very similar to the previous issue," Windsor explained. "However, in the last 24 hours, we have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path."

Scope and Impact

While the initial patch addressed the primary vulnerability, the new attack path suggests that the fix was incomplete. Fortinet's CISO noted that while only FortiCloud SSO exploitation has been observed so far, "this issue is applicable to all SAML SSO implementations." This broader implication means that any system using SAML-based single sign-on could potentially be vulnerable to similar authentication bypass techniques.

The vulnerability affects a critical component of Fortinet's security ecosystem. FortiCloud SSO allows administrators to authenticate to multiple Fortinet devices using a single set of credentials, streamlining management but also creating a centralized attack surface. When compromised, attackers gain administrative access to network security devices, enabling them to modify firewall rules, exfiltrate sensitive configurations, or establish persistent access.

Immediate Mitigation Steps

Until Fortinet releases a comprehensive patch, Windsor provided specific guidance for customers:

1. Restrict Administrative Access: Apply a local-in policy that limits which IP addresses can access the administrative interfaces of edge network devices. This prevents unauthorized internet-based access to management interfaces.

2. Disable FortiCloud SSO: Administrators should disable the FortiCloud SSO feature by navigating to System -> Settings -> Switch and toggling off the "Allow administrative login using FortiCloud SSO" option. This eliminates the immediate attack vector but may impact administrative workflows.

3. Incident Response: If any indicators of compromise are detected, Fortinet advises treating "the system and configuration as compromised." This includes rotating all credentials (including LDAP/AD accounts) and restoring configurations from a known clean version.

Broader Context and Exposure

The vulnerability's impact extends beyond individual organizations. Shadowserver, an internet security watchdog, currently tracks nearly 11,000 Fortinet devices exposed online with FortiCloud SSO enabled. This represents a significant attack surface for threat actors.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recognized the severity of CVE-2025-59718 by adding it to its Known Exploited Vulnerabilities (KEV) catalog on December 16, 2025. CISA ordered federal agencies to patch the vulnerability within one week of its addition to the KEV list, highlighting the critical nature of the threat.

Technical Analysis of SAML SSO Vulnerabilities

The FortiCloud SSO bypass illustrates a broader class of vulnerabilities in SAML-based authentication systems. SAML (Security Assertion Markup Language) is an XML-based standard for exchanging authentication and authorization data between parties, specifically between an identity provider (IdP) and a service provider (SP).

In typical SAML flows, the user authenticates with the IdP, which generates a signed SAML assertion containing user attributes. The service provider validates this assertion to grant access. Vulnerabilities often arise when the service provider improperly validates the assertion, fails to verify signatures correctly, or accepts unsigned or tampered assertions.

The FortiCloud SSO bypass likely involves improper validation of SAML assertions or signature verification, allowing attackers to forge authentication tokens. This type of vulnerability is particularly dangerous because it bypasses primary authentication mechanisms entirely, giving attackers direct administrative access without needing valid credentials.

Historical Precedent and Industry Patterns

This incident follows a pattern of authentication bypass vulnerabilities in enterprise security products. In December 2025, Fortinet disclosed and patched multiple authentication bypass flaws in its products, including CVE-2025-59718. The persistence of exploitation despite patching suggests either incomplete remediation or the discovery of additional attack vectors.

Similar vulnerabilities have affected other enterprise security platforms. For example, SmarterMail recently disclosed an authentication bypass flaw that was actively exploited to hijack admin accounts. These incidents underscore the complexity of authentication systems and the challenges in achieving comprehensive security patches.

Recommendations for Security Teams

Organizations using Fortinet products should take the following actions:

1. Immediate Assessment: Check all Fortinet devices for signs of compromise using the published indicators of compromise, including the IP address 104.28.244.114 and the email [email protected].

2. Configuration Review: Audit firewall configurations for unauthorized changes, new admin accounts, or modified access rules.

3. Network Segmentation: Ensure administrative interfaces are not exposed to the internet and are accessible only from trusted management networks.

4. Monitoring Enhancement: Implement additional logging and monitoring for authentication events, particularly SSO logins from unexpected sources.

5. Vendor Communication: Subscribe to Fortinet security advisories and monitor for the upcoming patch release.

Looking Ahead

Fortinet has not provided a specific timeline for the new patch release, only stating that "an advisory will be issued as the fix scope and timeline is available." The company's response to BleepingComputer's inquiries has been limited, suggesting that the situation is still evolving.

This incident highlights the ongoing challenges in enterprise security management. As organizations increasingly rely on cloud-based authentication services and single sign-on solutions, the attack surface expands, and vulnerabilities in these critical components can have cascading effects across entire network infrastructures.

The FortiCloud SSO bypass serves as a reminder that patching is not always a one-time solution. Security teams must maintain vigilance, implement defense-in-depth strategies, and be prepared to apply additional mitigations when initial patches prove insufficient.

For organizations seeking additional information about this vulnerability and ongoing mitigation strategies, Fortinet's security advisories provide the most current guidance. Security teams should also monitor resources from CISA and security firms like Arctic Wolf for additional threat intelligence and detection guidance.

The broader security community continues to analyze this vulnerability and its implications for SAML-based authentication systems. As more details emerge about the specific nature of the bypass, additional defensive measures and best practices will likely be developed to help organizations protect their Fortinet deployments and similar systems.

This situation underscores the importance of comprehensive security testing for authentication systems, particularly those that serve as gateways to administrative access. The complexity of SAML implementations and the critical nature of the access they control make them attractive targets for sophisticated threat actors, requiring heightened scrutiny from both vendors and security teams.

Organizations should view this incident not just as a specific Fortinet issue, but as a case study in the challenges of securing authentication infrastructure. The lessons learned from this vulnerability and its incomplete patch should inform security strategies across all platforms that rely on SSO and SAML-based authentication.

As the situation develops, security teams must balance the need for immediate action with the risk of disrupting business operations. The mitigation steps provided by Fortinet offer a path forward, but organizations should carefully evaluate the impact of disabling SSO on their administrative workflows and consider implementing alternative secure access methods in the interim.

The ongoing exploitation of CVE-2025-59718 demonstrates that vulnerability management is a continuous process, not a destination. Even after a patch is released, organizations must remain vigilant, monitor for new attack patterns, and be prepared to adapt their defenses as the threat landscape evolves.

For the latest information on this vulnerability and Fortinet's response, organizations should consult the official Fortinet security advisory page and monitor security news sources for updates on the patch release and additional mitigation guidance.