Fortinet has confirmed it is working to fully patch a FortiCloud SSO authentication bypass after reports of exploitation on fully patched firewalls. The activity circumvents fixes for CVE-2025-59718 and CVE-2025-59719, creates persistent generic accounts, grants VPN access, and exfiltrates firewall configurations, prompting recommendations to restrict internet-facing admin access and disable FortiCloud SSO; Fortinet warns the issue applies to all SAML SSO implementations. #Fortinet #FortiCloudSSO #FortiGate #CVE-2025-59718 #CVE-2025-59719
Keypoints
- Fortinet confirmed active exploitation of a FortiCloud SSO authentication bypass on fully patched devices.
- The exploit defeats patches for CVE-2025-59718 and CVE-2025-59719 that targeted SAML-based SSO authentication.
- Attackers create generic persistence accounts, modify configurations to grant VPN access, and exfiltrate firewall configs.
- Observed malicious login accounts include β[email protected]β and β[email protected].β
- Fortinet urges restricting internet-facing administrative access and disabling βadmin-forticloud-sso-loginβ as mitigations.
Read More: https://thehackernews.com/2026/01/fortinet-confirms-active-forticloud-sso.html