Fortinet has released updates to address two critical vulnerabilities (CVE-2025-59718 and CVE-2025-59719) in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager that allow attackers to bypass FortiCloud SSO authentication via maliciously crafted SAML messages. The vulnerabilities stem from improper verification of cryptographic signatures. The FortiCloud SSO login feature is not enabled by default but is activated upon FortiCare registration unless explicitly disabled by the administrator.
Threat actors have begun exploiting these vulnerabilities in active attacks on FortiGate devices, using IP addresses associated with hosting providers to carry out malicious SSO logins and export device configurations. Attackers targeted admin accounts, accessed the web management interface, and downloaded system configuration files, which can expose network layouts, internet-facing services, firewall policies, potentially vulnerable interfaces, routing tables, and hashed passwords. Over 25,000 Fortinet devices with FortiCloud SSO enabled are exposed online, with more than 5,400 in the United States and nearly 2,000 in India. Organizations are advised to apply patches immediately, disable FortiCloud SSO until updates are applied, and limit access to management interfaces.
FortiOS version 7.4.10 does not fully address the authentication bypass vulnerability, and Fortinet is planning to release FortiOS 7.4.11, 7.6.6, and 8.0.0 to fully patch the security flaw. CISA has added the FortiCloud SSO auth bypass flaw to its catalog of actively exploited vulnerabilities, ordering U.S. government agencies to patch within a week by December 23rd.
A new cluster of automated malicious activity began on January 15, 2026, involving unauthorized firewall configuration changes on FortiGate devices. The activity includes the creation of generic accounts for persistence, configuration changes granting VPN access, and exfiltration of firewall configurations. Malicious SSO logins were carried out against a malicious account '[email protected]' from four different IP addresses: 104.28.244.115, 104.28.212.114, 217.119.139.50, and 37.1.209.19. Threat actors created secondary accounts such as 'secadmin', 'itadmin', 'support', 'backup', 'remoteadmin', and 'audit' for persistence. All events took place within seconds of each other, indicating the possibility of automated activity.
Arctic Wolf reported that the campaign started on January 15, 2026, with attackers exploiting an unknown vulnerability in the SSO feature to create accounts with VPN access and exporting firewall configurations within seconds, indicating automated activity. Arctic Wolf noted that the current campaign bears similarity to incidents documented in December following the disclosure of CVE-2025-59718. Affected admins reported that Fortinet confirmed the latest FortiOS version (7.4.10) does not fully address the authentication bypass flaw, which should have been patched since early December with the release of FortiOS 7.4.9. Fortinet is planning to release FortiOS 7.4.11, 7.6.6, and 8.0.0 over the coming days to fully address the CVE-2025-59718 security flaw. Affected Fortinet customers shared logs showing that the attackers created admin users after an SSO login from [email protected] on IP address 104.28.244.114, which matches indicators of compromise detected by Arctic Wolf. Internet security watchdog Shadowserver is currently tracking nearly 11,000 Fortinet devices that are exposed online and have FortiCloud SSO enabled.