INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
FortiCloud SSO Bypass Exploited on Fully Patched Fortigates
| 2026-01-23 12:30 CRITICAL HIGHExecutive Summary AI-generated
The threat actor has been observed logging in with accounts named "[email protected]" and "[email protected]", exploiting a vulnerability in FortiCloud SSO authentication bypass, which allows for unauthenticated access to SAML login authentication via crafted messages. This is not the first incident of renewed activity following the disclosure of CVE-2025-59718 and CVE-2025-59719, suggesting that the threat actor has been adapting its tactics. The exploit appears to be targeting fully-patched FortiGate firewalls, which have been patched in December but are still vulnerable due to outdated configurations.
Technical Mitigations AI-generated
* Implement a robust patch management policy: Ensure that all FortiGate firewalls and other affected devices receive timely patches for CVE-2025-59718 and CVE-2025-59719. This includes applying the latest release of FortiOS, as well as any subsequent security updates.
* Use secure authentication protocols: Implement strong authentication protocols such as multi-factor authentication (MFA) or token-based authentication to prevent unauthorized access to SSO-enabled features on affected devices.
* Monitor and log suspicious activity: Continuously monitor logs for signs of suspicious activity, including login attempts from unknown IP addresses or accounts with elevated privileges. This can help identify potential security breaches before they escalate into full-scale attacks.
* Implement a secure configuration management process: Ensure that all firewall configurations are properly documented, reviewed, and approved by authorized personnel. Use secure configuration management tools to track changes and ensure that only trusted configurations are deployed.
* Use a web application firewall (WAF) with built-in security features: Consider implementing a WAF on FortiGate firewalls to detect and prevent common web attacks such as SQL injection or cross-site scripting (XSS). This can help protect against the types of SSO intrusions that have been reported.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2025-59719CVE-2025-59719
CVE-2025-59718CVE-2025-59718
Target & Sectors
Global Scope
Incident Timeline
2025-12-24
Fortinet confirmed active FortiCloud Single Sign-On (SSO) bypass vulnerabilities in fully patched FortiGate firewalls on December 24, 2025.
Click on any entity below to view its context and source!
organisation
Fortinet
The issues were originally addressed by Fortinet last month.
December 2025
Threat actors used CVE-2025-59718 and CVE-2025-59719 to bypass SSO on fully patched FortiGate firewalls.
Click on any entity below to view its context and source!
infrastructure
Fortigate
The activity, it said, commenced on January 15, 2026, adding it shares similarities with a
December 2025 campaign
in which malicious SSO logins on FortiGate appliances were recorded against the admin account from different hosting providers by exploiting CVE-2025-59718 and CVE-2025-59719.
organisation
CVE-2025-59718
The activity, it said, commenced on January 15, 2026, adding it shares similarities with a
December 2025 campaign
in which malicious SSO logins on FortiGate appliances were recorded against the admin account from different hosting providers by exploiting CVE-2025-59718 and CVE-2025-59719.
organisation
CVE-2025-59719
The activity, it said, commenced on January 15, 2026, adding it shares similarities with a
December 2025 campaign
in which malicious SSO logins on FortiGate appliances were recorded against the admin account from different hosting providers by exploiting CVE-2025-59718 and CVE-2025-59719.
organisation
SSO
The activity, it said, commenced on January 15, 2026, adding it shares similarities with a
December 2025 campaign
in which malicious SSO logins on FortiGate appliances were recorded against the admin account from different hosting providers by exploiting CVE-2025-59718 and CVE-2025-59719.
organisation
FortiGate
The activity, it said, commenced on January 15, 2026, adding it shares similarities with a
December 2025 campaign
in which malicious SSO logins on FortiGate appliances were recorded against the admin account from different hosting providers by exploiting CVE-2025-59718 and CVE-2025-59719.
January 15, 2026
Threat actors used a previously unknown vulnerability in FortiGate firewalls to bypass Single Sign-On (SSO) authentication on fully patched appliances.
Click on any entity below to view its context and source!
infrastructure
Fortigate
The activity, it said, commenced on January 15, 2026, adding it shares similarities with a
December 2025 campaign
in which malicious SSO logins on FortiGate appliances were recorded against the admin account from different hosting providers by exploiting CVE-2025-59718 and CVE-2025-59719.
organisation
CVE-2025-59718
The activity, it said, commenced on January 15, 2026, adding it shares similarities with a
December 2025 campaign
in which malicious SSO logins on FortiGate appliances were recorded against the admin account from different hosting providers by exploiting CVE-2025-59718 and CVE-2025-59719.
organisation
CVE-2025-59719
The activity, it said, commenced on January 15, 2026, adding it shares similarities with a
December 2025 campaign
in which malicious SSO logins on FortiGate appliances were recorded against the admin account from different hosting providers by exploiting CVE-2025-59718 and CVE-2025-59719.
organisation
SSO
The activity, it said, commenced on January 15, 2026, adding it shares similarities with a
December 2025 campaign
in which malicious SSO logins on FortiGate appliances were recorded against the admin account from different hosting providers by exploiting CVE-2025-59718 and CVE-2025-59719.
organisation
FortiGate
The activity, it said, commenced on January 15, 2026, adding it shares similarities with a
December 2025 campaign
in which malicious SSO logins on FortiGate appliances were recorded against the admin account from different hosting providers by exploiting CVE-2025-59718 and CVE-2025-59719.
January 15
Threat actors used compromised SSO accounts to target Fortinet's FortiGate appliances on January 15.
Click on any entity below to view its context and source!
infrastructure
Fortigate
That's according to a
warning from security shop Arctic Wolf
, which says it has spotted a wave of automated malicious activity starting January 15 that's targeting Fortinet's FortiGate appliances via compromised SSO accounts, flipping firewall settings, creating backdoor admin users, and exfiltrating configuration files.
organisation
SSO
That's according to a
warning from security shop Arctic Wolf
, which says it has spotted a wave of automated malicious activity starting January 15 that's targeting Fortinet's FortiGate appliances via compromised SSO accounts, flipping firewall settings, creating backdoor admin users, and exfiltrating configuration files.
organisation
Fortinet
That's according to a
warning from security shop Arctic Wolf
, which says it has spotted a wave of automated malicious activity starting January 15 that's targeting Fortinet's FortiGate appliances via compromised SSO accounts, flipping firewall settings, creating backdoor admin users, and exfiltrating configuration files.
Jan 22, 2026
Threat actors exploited a previously unknown vulnerability in FortiGate firewalls to bypass Secure SSO authentication on fully patched Fortinet FortiCloud gateways.
Jan 22
Threat actors used automated tools to bypass the SSO protection on FortiGate firewalls.
Click on any entity below to view its context and source!
infrastructure
Fortigate
Ravie Lakshmanan
Jan 22, 2026
Network Security / Vulnerability
Cybersecurity company Arctic Wolf has
warned
of a "new cluster of automated malicious activity" that involves unauthorized firewall configuration changes on Fortinet FortiGate devices.
organisation
Fortinet FortiGate
Ravie Lakshmanan
Jan 22, 2026
Network Security / Vulnerability
Cybersecurity company Arctic Wolf has
warned
of a "new cluster of automated malicious activity" that involves unauthorized firewall configuration changes on Fortinet FortiGate devices.
Jan 23, 2026
Threat actors exploited a vulnerability in FortiCloud SSO to bypass fully patched Fortigate firewalls.
Click on any entity below to view its context and source!
organisation
IP
The activity involves the creation of generic accounts for persistence, making configuration changes granting VPN access to those accounts, and the exfiltration of firewall configurations to different IP addresses.
infrastructure
Fortigate
However, earlier this week, reports
emerged
of renewed activity in which malicious SSO logins on FortiGate appliances were recorded against the admin account on devices that had been patched against the twin vulnerabilities.
organisation
FortiGate
However, earlier this week, reports
emerged
of renewed activity in which malicious SSO logins on FortiGate appliances were recorded against the admin account on devices that had been patched against the twin vulnerabilities.
organisation
CVE-2025-59718
The activity essentially mounts to a bypass for patches put in place by the network security vendor to address
CVE-2025-59718 and CVE-2025-59719
, which could allow unauthenticated bypass of SSO login authentication via crafted SAML messages if the FortiCloud SSO feature is enabled on affected devices.
organisation
CVE-2025
The activity essentially mounts to a bypass for patches put in place by the network security vendor to address
CVE-2025-59718 and CVE-2025-59719
, which could allow unauthenticated bypass of SSO login authentication via crafted SAML messages if the FortiCloud SSO feature is enabled on affected devices.
organisation
SSO
The activity essentially mounts to a bypass for patches put in place by the network security vendor to address
CVE-2025-59718 and CVE-2025-59719
, which could allow unauthenticated bypass of SSO login authentication via crafted SAML messages if the FortiCloud SSO feature is enabled on affected devices.
organisation
CVE-2025-59719
The activity is similar to
incidents
observed in December, shortly after the disclosure of the CVE-2025-59718 and CVE-2025-59719.
organisation
Disable FortiCloud SSO
"
As mitigations, the company is urging the following actions -
Restrict administrative access of edge network device via the internet by applying a local-in policy
Disable FortiCloud SSO logins by disabling "admin-forticloud-sso-login"
"It is important to note that while, at this time, only exploitation of FortiCloud SSO has been observed, this issue is applicable to all SAML SSO implementations," Fortinet said.
organisation
FortiCloud SSO
"
As mitigations, the company is urging the following actions -
Restrict administrative access of edge network device via the internet by applying a local-in policy
Disable FortiCloud SSO logins by disabling "admin-forticloud-sso-login"
"It is important to note that while, at this time, only exploitation of FortiCloud SSO has been observed, this issue is applicable to all SAML SSO implementations," Fortinet said.
Jan 23
Fortinet confirmed it is working to patch a FortiCloud SSO authentication bypass vulnerability in fully-patched firewalls.
Click on any entity below to view its context and source!
organisation
Network Security / Vulnerability
Ravie Lakshmanan
Jan 23, 2026
Network Security / Vulnerability
Fortinet has officially confirmed that it's working to completely plug a FortiCloud SSO authentication bypass vulnerability following reports of fresh exploitation activity on fully-patched firewalls.
2026-01-23
Fortinet has acknowledged that its FortiCloud single sign-on (SSO) feature is vulnerable to a bypass, allowing attackers to log in from compromised IP addresses and alter firewall configurations.
Click on any entity below to view its context and source!
organisation
IP
Specifically, this entails carrying out malicious SSO logins against a malicious account "[email protected]" from four different IP addresses, following which the firewall configuration files are exported to the same IP addresses via the GUI interface.
Logs shared by affected customers show attackers logging in via SSO from the address [email protected], originating from IP address 104.28.244.114, before creating new admin users.
organisation
GUI
Specifically, this entails carrying out malicious SSO logins against a malicious account "[email protected]" from four different IP addresses, following which the firewall configuration files are exported to the same IP addresses via the GUI interface.
organisation
[email protected]
Logs shared by affected customers show attackers logging in via SSO from the address [email protected], originating from IP address 104.28.244.114, before creating new admin users.
infrastructure
Fortigate
Fortinet Confirms Active FortiCloud SSO Bypass on Fully Patched FortiGate Firewalls.
Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations.
FortiGate firewalls hit by silent SSO intrusions and config theft.
FortiGate firewalls are getting quietly reconfigured and stripped down by miscreants who've figured out how to sidestep SSO protections and grab sensitive settings right out of the box.
Those indicators match the same activity that Arctic Wolf observed while analyzing the current FortiGate attacks, as well as similar exploitation attempts back in December.
Arctic Wolf is urging organizations to audit FortiGate admin accounts, review recent configuration changes, rotate credentials, and keep a close eye on SSO activity until Fortinet's next round of fixes lands.
organisation
FortiGate
FortiGate firewalls hit by silent SSO intrusions and config theft.
organisation
CVE-2025-59719
This activity stemmed from two critical authentication bypass bugs (
CVE-2025-59718 and CVE-2025-59719)
that let attackers bypass SSO login checks via specially crafted SAML responses.
organisation
CVE-2025-59718
Patches for those were shipped last December, but Arctic Wolf's advisory follows a growing wave of reports from administrators who believe attackers are exploiting a patch bypass for CVE-2025-59718 to compromise firewalls that were already thought to be fixed.
organisation
CVE-2025
Fortinet is now said to be preparing additional releases – FortiOS 7.4.11, 7.6.6, and 8.0.0 – over the coming days to fully address CVE-2025-59718.
infrastructure
7.4.11
Fortinet is now said to be preparing additional releases – FortiOS 7.4.11, 7.6.6, and 8.0.0 – over the coming days to fully address CVE-2025-59718.
infrastructure
7.6.6
Fortinet is now said to be preparing additional releases – FortiOS 7.4.11, 7.6.6, and 8.0.0 – over the coming days to fully address CVE-2025-59718.
infrastructure
8.0.0
Fortinet is now said to be preparing additional releases – FortiOS 7.4.11, 7.6.6, and 8.0.0 – over the coming days to fully address CVE-2025-59718.
infrastructure
7.4.10
The disclosure coincides with a
post on Reddit
in which multiple users reported seeing malicious SSO logins on fully-patched FortiOS devices, with one user stating the "Fortinet developer team has confirmed the vulnerability persists or is not fixed in version 7.4.10."
On
Reddit
, affected admins say Fortinet has privately acknowledged that FortiOS 7.4.10 does not fully remediate the SSO authentication bypass, despite the issue being flagged as patched with the release of FortiOS 7.4.9 in early December.
organisation
Reddit
The disclosure coincides with a
post on Reddit
in which multiple users reported seeing malicious SSO logins on fully-patched FortiOS devices, with one user stating the "Fortinet developer team has confirmed the vulnerability persists or is not fixed in version 7.4.10."
infrastructure
7.4.9
On
Reddit
, affected admins say Fortinet has privately acknowledged that FortiOS 7.4.10 does not fully remediate the SSO authentication bypass, despite the issue being flagged as patched with the release of FortiOS 7.4.9 in early December.
organisation
FortiOS 7.4.10
On
Reddit
, affected admins say Fortinet has privately acknowledged that FortiOS 7.4.10 does not fully remediate the SSO authentication bypass, despite the issue being flagged as patched with the release of FortiOS 7.4.9 in early December.
organisation
FortiOS 7.4.9
On
Reddit
, affected admins say Fortinet has privately acknowledged that FortiOS 7.4.10 does not fully remediate the SSO authentication bypass, despite the issue being flagged as patched with the release of FortiOS 7.4.9 in early December.
organisation
FortiCloud
Both vulnerabilities allow for unauthenticated bypass of SSO login authentication via crafted SAML messages when the FortiCloud single sign-on (SSO) feature is enabled on affected Devices.
organisation
FortiWeb
The shortcomings impact FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.
organisation
FortiProxy
The shortcomings impact FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.
organisation
The Hacker News
The Hacker News has reached out to Fortinet for comment, and we will update the story if we hear back.
Tactical Metrics
Metrics
infrastructure
Fortigate
Affected Product
Click for context!
Fortinet Confirms Active FortiCloud SSO Bypass on Fully Patched FortiGate Firewalls.
However, earlier this week, reports
emerged
of renewed activity in which malicious SSO logins on FortiGate appliances were recorded against the admin account on devices that had been patched against the twin vulnerabilities.
Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations.
Ravie Lakshmanan
Jan 22, 2026
Network Security / Vulnerability
Cybersecurity company Arctic Wolf has
warned
of a "new cluster of automated malicious activity" that involves unauthorized firewall configuration changes on Fortinet FortiGate devices.
The activity, it said, commenced on January 15, 2026, adding it shares similarities with a
December 2025 campaign
in which malicious SSO logins on FortiGate appliances were recorded against the admin account from different hosting providers by exploiting CVE-2025-59718 and CVE-2025-59719.
FortiGate firewalls hit by silent SSO intrusions and config theft.
FortiGate firewalls are getting quietly reconfigured and stripped down by miscreants who've figured out how to sidestep SSO protections and grab sensitive settings right out of the box.
That's according to a
warning from security shop Arctic Wolf
, which says it has spotted a wave of automated malicious activity starting January 15 that's targeting Fortinet's FortiGate appliances via compromised SSO accounts, flipping firewall settings, creating backdoor admin users, and exfiltrating configuration files.
Those indicators match the same activity that Arctic Wolf observed while analyzing the current FortiGate attacks, as well as similar exploitation attempts back in December.
Arctic Wolf is urging organizations to audit FortiGate admin accounts, review recent configuration changes, rotate credentials, and keep a close eye on SSO activity until Fortinet's next round of fixes lands.
Metrics
infrastructure
7.4.10
Software Version
The disclosure coincides with a
post on Reddit
in which multiple users reported seeing malicious SSO logins on fully-patched FortiOS devices, with one user stating the "Fortinet developer team has confirmed the vulnerability persists or is not fixed in version 7.4.10."
On
Reddit
, affected admins say Fortinet has privately acknowledged that FortiOS 7.4.10 does not fully remediate the SSO authentication bypass, despite the issue being flagged as patched with the release of FortiOS 7.4.9 in early December.
Metrics
infrastructure
7.4.9
Software Version
On
Reddit
, affected admins say Fortinet has privately acknowledged that FortiOS 7.4.10 does not fully remediate the SSO authentication bypass, despite the issue being flagged as patched with the release of FortiOS 7.4.9 in early December.
Metrics
infrastructure
7.4.11
Software Version
Fortinet is now said to be preparing additional releases – FortiOS 7.4.11, 7.6.6, and 8.0.0 – over the coming days to fully address CVE-2025-59718.
Metrics
infrastructure
7.6.6
Software Version
Fortinet is now said to be preparing additional releases – FortiOS 7.4.11, 7.6.6, and 8.0.0 – over the coming days to fully address CVE-2025-59718.
Metrics
infrastructure
8.0.0
Software Version
Fortinet is now said to be preparing additional releases – FortiOS 7.4.11, 7.6.6, and 8.0.0 – over the coming days to fully address CVE-2025-59718.
Intelligence Sources
The Hacker News
2026-01-23
The Hacker News
2026-01-22
The Register - Cybercrime
2026-01-22
FortiGate firewalls hit by silent SSO intrusions and config theft
The Register - Cybercrime
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T06:31
Comprehensive Tactical Telemetry
Highly Correlated Entities
21x
organisation
Identified Entity
IP
entity
9x
timeline
Temporal Reference
Jan 23, 2026
date
5x
infrastructure
Software Version
7.4.10
version
2x
vulnerability
Exploited CVE
CVE-2025-59718
cve
Contextual Telemetry
Context Block
3 METRICS
tactic
Cyber Operation Type
Exfiltration
tactic
infrastructure
Affected Product
Fortigate
software
general metric
Last Hours
24
last hours
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.