CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical FortiCloud SSO Authentication Bypass Vulnerabilities Patched

First reported
Last updated
3 unique sources, 13 articles

Summary

Hide ▲

Fortinet has released updates to address two critical vulnerabilities (CVE-2025-59718 and CVE-2025-59719) in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager that allow attackers to bypass FortiCloud SSO authentication via maliciously crafted SAML messages. The vulnerabilities stem from improper verification of cryptographic signatures. The FortiCloud SSO login feature is not enabled by default but is activated upon FortiCare registration unless explicitly disabled by the administrator. Threat actors have begun exploiting these vulnerabilities in active attacks on FortiGate devices, using IP addresses associated with hosting providers to carry out malicious SSO logins and export device configurations. Attackers targeted admin accounts, accessed the web management interface, and downloaded system configuration files, which can expose network layouts, internet-facing services, firewall policies, potentially vulnerable interfaces, routing tables, and hashed passwords. Over 25,000 Fortinet devices with FortiCloud SSO enabled are exposed online, with more than 5,400 in the United States and nearly 2,000 in India. Organizations are advised to apply patches immediately, disable FortiCloud SSO until updates are applied, and limit access to management interfaces. FortiOS version 7.4.10 does not fully address the authentication bypass vulnerability, and Fortinet is planning to release FortiOS 7.4.11, 7.6.6, and 8.0.0 to fully patch the security flaw. CISA has added the FortiCloud SSO auth bypass flaw to its catalog of actively exploited vulnerabilities, ordering U.S. government agencies to patch within a week by December 23rd. A new cluster of automated malicious activity began on January 15, 2026, involving unauthorized firewall configuration changes on FortiGate devices. The activity includes the creation of generic accounts for persistence, configuration changes granting VPN access, and exfiltration of firewall configurations. Malicious SSO logins were carried out against a malicious account '[email protected]' from four different IP addresses: 104.28.244.115, 104.28.212.114, 217.119.139.50, and 37.1.209.19. Threat actors created secondary accounts such as 'secadmin', 'itadmin', 'support', 'backup', 'remoteadmin', and 'audit' for persistence. All events took place within seconds of each other, indicating the possibility of automated activity. Arctic Wolf reported that the campaign started on January 15, 2026, with attackers exploiting an unknown vulnerability in the SSO feature to create accounts with VPN access and exporting firewall configurations within seconds, indicating automated activity. Arctic Wolf noted that the current campaign bears similarity to incidents documented in December following the disclosure of CVE-2025-59718. Affected admins reported that Fortinet confirmed the latest FortiOS version (7.4.10) does not fully address the authentication bypass flaw, which should have been patched since early December with the release of FortiOS 7.4.9. Fortinet is planning to release FortiOS 7.4.11, 7.6.6, and 8.0.0 over the coming days to fully address the CVE-2025-59718 security flaw. Affected Fortinet customers shared logs showing that the attackers created admin users after an SSO login from [email protected] on IP address 104.28.244.114, which matches indicators of compromise detected by Arctic Wolf. Internet security watchdog Shadowserver is currently tracking nearly 11,000 Fortinet devices that are exposed online and have FortiCloud SSO enabled. Fortinet's CISO Carl Windsor confirmed that the ongoing attacks match December's malicious activity and that the issue is applicable to all SAML SSO implementations. Fortinet advised customers to restrict administrative access to their edge network devices via the Internet by applying a local-in policy that limits the IP addresses that can access the devices' administrative interfaces. Fortinet recommended disabling the FortiCloud SSO feature on their devices by toggling off the "Allow administrative login using FortiCloud SSO" option. Affected customers are advised to treat the system and configuration as compromised, rotate credentials, and restore their configuration with a known clean version if IOCs are detected. Fortinet has confirmed a new, actively exploited critical FortiCloud SSO authentication bypass vulnerability, tracked as CVE-2026-24858. The flaw allows attackers to gain administrative access to FortiOS, FortiManager, and FortiAnalyzer devices registered to other customers, even when those devices were fully patched against a previously disclosed vulnerability. Fortinet has mitigated the zero-day attacks by blocking FortiCloud SSO connections from devices running vulnerable firmware versions. Fortinet confirmed that attackers were exploiting an alternate authentication path that remained even on fully patched systems. Fortinet disabled FortiCloud accounts being abused by attackers on January 22 and disabled FortiCloud SSO globally on January 26. Fortinet restored FortiCloud SSO access on January 27 but restricted it so that devices running vulnerable firmware can no longer authenticate via SSO. The vulnerability is "Authentication Bypass Using an Alternate Path or Channel," caused by improper access control in FortiCloud SSO. Attackers with a FortiCloud account and a registered device could authenticate to other customers' devices if FortiCloud SSO was enabled. Fortinet confirmed the vulnerability was exploited in the wild by the malicious FortiCloud SSO accounts '[email protected]' and '[email protected]'. Once a device was breached, attackers would download customer config files and create one of the following admin accounts: audit, backup, itadmin, secadmin, support, backupadmin, deploy, remoteadmin, security, svcadmin, system. Connections were made from the following IP addresses: 104.28.244.115, 104.28.212.114, 104.28.212.115, 104.28.195.105, 104.28.195.106, 104.28.227.106, 104.28.227.105, 104.28.244.114, 37.1.209.19, 217.119.139.50. Fortinet is still investigating whether FortiWeb and FortiSwitch Manager are affected by the flaw. Customers who detect indicators of compromise in their logs should treat their devices as fully compromised, review all administrator accounts, restore configurations from known-clean backups, and rotate all credentials.

Timeline

  1. 28.01.2026 10:05 1 articles · 23h ago

    Fortinet releases patches for CVE-2026-24858

    Fortinet has released emergency patches for a new FortiCloud SSO authentication bypass vulnerability, tracked as CVE-2026-24858, which has been exploited in the wild as a zero-day. The exploitation of CVE-2026-24858 was discovered after Arctic Wolf observed automated attacks targeting FortiGate firewalls to create new administrator accounts and exfiltrate configuration files. Fortinet confirmed that the attacks were exploiting devices fully patched against CVE-2025-59718 and CVE-2025-59719, two critical-severity FortiCloud SSO login bugs patched in early December. CVE-2026-24858 allows an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts if FortiCloud SSO authentication is enabled. Fortinet blocked the malicious FortiCloud accounts used in the zero-day attacks observed earlier this month and briefly disabled FortiCloud SSO on the FortiCloud side between January 26 and 27. FortiCloud SSO no longer supports login from devices running vulnerable versions, meaning that users need to apply the newly released patches to benefit from FortiCloud SSO authentication. The patches were included in FortiAnalyzer version 7.4.10, FortiManager version 7.4.10, and FortiOS version 7.4.11. The patches will also be included in FortiAnalyzer versions 7.6.6, 7.2.12, and 7.0.16, FortiManager versions 7.6.6, 7.2.13, and 7.0.16, FortiOS versions 7.6.6, 7.2.13, and 7.0.19, and FortiProxy versions 7.6.6 and 7.4.13. The US cybersecurity agency CISA added CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch it by January 30.

    Show sources
    Open in new tab
  2. 28.01.2026 01:19 3 articles · 1d ago

    Fortinet confirms new critical FortiCloud SSO authentication bypass vulnerability CVE-2026-24858

    Fortinet has confirmed a new, actively exploited critical FortiCloud SSO authentication bypass vulnerability, tracked as CVE-2026-24858. The flaw allows attackers to gain administrative access to FortiOS, FortiManager, and FortiAnalyzer devices registered to other customers, even when those devices were fully patched against a previously disclosed vulnerability. Fortinet has mitigated the zero-day attacks by blocking FortiCloud SSO connections from devices running vulnerable firmware versions. Fortinet confirmed that attackers were exploiting an alternate authentication path that remained even on fully patched systems. Fortinet disabled FortiCloud accounts being abused by attackers on January 22 and disabled FortiCloud SSO globally on January 26. Fortinet restored FortiCloud SSO access on January 27 but restricted it so that devices running vulnerable firmware can no longer authenticate via SSO. The vulnerability is "Authentication Bypass Using an Alternate Path or Channel," caused by improper access control in FortiCloud SSO. Attackers with a FortiCloud account and a registered device could authenticate to other customers' devices if FortiCloud SSO was enabled. Fortinet confirmed the vulnerability was exploited in the wild by the malicious FortiCloud SSO accounts '[email protected]' and '[email protected]'. Once a device was breached, attackers would download customer config files and create one of the following admin accounts: audit, backup, itadmin, secadmin, support, backupadmin, deploy, remoteadmin, security, svcadmin, system. Connections were made from the following IP addresses: 104.28.244.115, 104.28.212.114, 104.28.212.115, 104.28.195.105, 104.28.195.106, 104.28.227.106, 104.28.227.105, 104.28.244.114, 37.1.209.19, 217.119.139.50. Fortinet is still investigating whether FortiWeb and FortiSwitch Manager are affected by the flaw. Customers who detect indicators of compromise in their logs should treat their devices as fully compromised, review all administrator accounts, restore configurations from known-clean backups, and rotate all credentials.

    Show sources
    Open in new tab
  3. 22.01.2026 07:55 8 articles · 7d ago

    New automated attacks alter firewall configurations on FortiGate devices

    A new cluster of automated malicious activity began on January 15, 2026, involving unauthorized firewall configuration changes on FortiGate devices. The activity includes the creation of generic accounts for persistence, configuration changes granting VPN access, and exfiltration of firewall configurations. Malicious SSO logins were carried out against a malicious account '[email protected]' from four different IP addresses: 104.28.244.115, 104.28.212.114, 217.119.139.50, and 37.1.209.19. Threat actors created secondary accounts such as 'secadmin', 'itadmin', 'support', 'backup', 'remoteadmin', and 'audit' for persistence. All events took place within seconds of each other, indicating the possibility of automated activity. Arctic Wolf reported that the campaign started on January 15, 2026, with attackers exploiting an unknown vulnerability in the SSO feature to create accounts with VPN access and exporting firewall configurations within seconds, indicating automated activity. Arctic Wolf noted that the current campaign bears similarity to incidents documented in December following the disclosure of CVE-2025-59718. The attacks originated from a small number of hosting providers and typically targeted the [email protected] account. Within seconds after login, the attackers exported device configurations, likely through automation. It is unclear whether the activity is fully covered by the patch that initially addressed CVE-2025-59718 and CVE-2025-59719. The recent exploitation activity involves the creation of generic accounts for persistence, making configuration changes to grant VPN access, and exfiltrating firewall configurations. The threat actors have been observed logging in with accounts named '[email protected]' and '[email protected]'.

    Show sources
    Open in new tab
  4. 19.12.2025 17:00 6 articles · 1mo ago

    Over 25,000 Fortinet devices exposed to FortiCloud SSO attacks

    Over 25,000 Fortinet devices with FortiCloud SSO enabled are exposed online, with more than 5,400 in the United States and nearly 2,000 in India. Shadowserver and Macnica threat researcher Yutaka Sejiyama have identified these devices, highlighting the widespread exposure. CISA has added the vulnerability to its catalog of actively exploited vulnerabilities, mandating U.S. government agencies to patch by December 23rd. Internet security watchdog Shadowserver is currently tracking nearly 11,000 Fortinet devices that are exposed online and have FortiCloud SSO enabled.

    Show sources
    Open in new tab
  5. 16.12.2025 12:58 12 articles · 1mo ago

    Active exploitation of FortiCloud SSO authentication bypass vulnerabilities

    Threat actors have begun exploiting CVE-2025-59718 and CVE-2025-59719 in active attacks on FortiGate devices. Attackers used IP addresses associated with hosting providers like The Constant Company llc, Bl Networks, and Kaopu Cloud Hk Limited to carry out malicious SSO logins and export device configurations. Attackers targeted admin accounts, accessed the web management interface, and downloaded system configuration files, which can expose network layouts, internet-facing services, firewall policies, potentially vulnerable interfaces, routing tables, and hashed passwords. Recent reports indicate that attackers have exploited the vulnerability via maliciously crafted SAML messages to compromise admin accounts, creating new admin users such as 'helpdesk'. The IP address 104.28.244.114 has been used in recent exploitation attempts. A new cluster of automated malicious activity began on January 15, 2026, involving unauthorized firewall configuration changes on FortiGate devices. The activity includes the creation of generic accounts for persistence, configuration changes granting VPN access, and exfiltration of firewall configurations. Malicious SSO logins were carried out against a malicious account '[email protected]' from four different IP addresses: 104.28.244.115, 104.28.212.114, 217.119.139.50, and 37.1.209.19. Threat actors created secondary accounts such as 'secadmin', 'itadmin', 'support', 'backup', 'remoteadmin', and 'audit' for persistence. All events took place within seconds of each other, indicating the possibility of automated activity. Arctic Wolf reported that the campaign started on January 15, 2026, with attackers exploiting an unknown vulnerability in the SSO feature to create accounts with VPN access and exporting firewall configurations within seconds, indicating automated activity. Arctic Wolf noted that the current campaign bears similarity to incidents documented in December following the disclosure of CVE-2025-59718. Affected Fortinet customers shared logs showing that the attackers created admin users after an SSO login from [email protected] on IP address 104.28.244.114, which matches indicators of compromise detected by Arctic Wolf. The recent exploitation activity involves the creation of generic accounts for persistence, making configuration changes to grant VPN access, and exfiltrating firewall configurations. The threat actors have been observed logging in with accounts named '[email protected]' and '[email protected]'.

    Show sources
    Open in new tab
  6. 09.12.2025 20:36 12 articles · 1mo ago

    Fortinet patches critical FortiCloud SSO authentication bypass vulnerabilities

    Fortinet has released updates to address two critical vulnerabilities (CVE-2025-59718 and CVE-2025-59719) in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager that allow attackers to bypass FortiCloud SSO authentication via maliciously crafted SAML messages. The vulnerabilities stem from improper verification of cryptographic signatures. The FortiCloud SSO login feature is not enabled by default but is activated upon FortiCare registration unless explicitly disabled by the administrator. However, FortiOS version 7.4.10 does not fully address the authentication bypass vulnerability, and Fortinet is planning to release FortiOS 7.4.11, 7.6.6, and 8.0.0 to fully patch the security flaw. Multiple users reported seeing malicious SSO logins on fully-patched FortiOS devices, with the Fortinet developer team confirming the vulnerability persists in version 7.4.10. Affected admins reported that Fortinet confirmed the latest FortiOS version (7.4.10) does not fully address the authentication bypass flaw, which should have been patched since early December with the release of FortiOS 7.4.9. Fortinet is planning to release FortiOS 7.4.11, 7.6.6, and 8.0.0 over the coming days to fully address the CVE-2025-59718 security flaw. Fortinet's CISO Carl Windsor confirmed that the ongoing attacks match December's malicious activity and that the issue is applicable to all SAML SSO implementations. Fortinet advised customers to restrict administrative access to their edge network devices via the Internet by applying a local-in policy that limits the IP addresses that can access the devices' administrative interfaces. Fortinet recommended disabling the FortiCloud SSO feature on their devices by toggling off the "Allow administrative login using FortiCloud SSO" option. Affected customers are advised to treat the system and configuration as compromised, rotate credentials, and restore their configuration with a known clean version if IOCs are detected. Fortinet has confirmed that the FortiCloud SSO authentication bypass vulnerability is still being actively exploited on fully-patched FortiGate firewalls. The recent exploitation activity involves the creation of generic accounts for persistence, making configuration changes to grant VPN access, and exfiltrating firewall configurations. The threat actors have been observed logging in with accounts named '[email protected]' and '[email protected]'. Fortinet has advised restricting administrative access to edge network devices via the internet by applying a local-in policy and disabling FortiCloud SSO logins by disabling the 'admin-forticloud-sso-login' option.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Fortinet Firewalls Exploited via Incompletely Patched Flaws

Fortinet confirmed ongoing exploitation of an improperly patched vulnerability in FortiCloud SSO authentication, affecting fully updated firewalls. The flaw, related to CVE-2025-59718 and CVE-2025-59719, allows unauthenticated bypass of SSO login via crafted SAML messages. Fortinet advises disabling FortiCloud SSO and restricting administrative access as mitigations. The vulnerability highlights the risks of incomplete patches and the evolving tactics of attackers targeting trusted network security tools.

Open in new tab

Critical Fortinet FortiSIEM Flaw Exploited in the Wild

A critical vulnerability in Fortinet FortiSIEM (CVE-2025-64155, CVSS 9.4) is under active exploitation. The flaw allows unauthenticated attackers to execute arbitrary code or commands via crafted TCP requests. The vulnerability comprises two issues: an unauthenticated argument injection leading to arbitrary file write and remote code execution as the admin user, and a file overwrite privilege escalation leading to root access. The affected phMonitor service is deeply embedded in FortiSIEM's operational workflow, making successful exploitation grant full control of the appliance. This vulnerability poses a significant risk to organizations using FortiSIEM, as it can lead to complete compromise of the appliance. Fortinet users are advised to apply patches and monitor their systems for any signs of exploitation.

Open in new tab

Active Exploitation of FortiOS SSL VPN 2FA Bypass Vulnerability (CVE-2020-12812)

Fortinet has reported active exploitation of a five-year-old vulnerability (CVE-2020-12812) in FortiOS SSL VPN, which allows attackers to bypass two-factor authentication (2FA) under specific configurations. The flaw, affecting certain setups with local and remote authentication methods, has been observed in the wild by multiple threat actors, including state-backed hackers. Fortinet has issued an advisory detailing the prerequisites for exploitation and recommended mitigations. The FBI and CISA have also warned about the exploitation of this vulnerability in ransomware attacks.

Open in new tab

Active Exploitation of Critical WatchGuard Fireware OS VPN Vulnerability (CVE-2025-14733)

WatchGuard has released patches for a critical out-of-bounds write vulnerability (CVE-2025-14733, CVSS 9.3) in Fireware OS, which is being actively exploited in the wild. The flaw affects the iked process and could allow remote unauthenticated attackers to execute arbitrary code. The vulnerability impacts various versions of Fireware OS, including 2025.1, 12.x, 12.5.x, and 12.3.1, while versions 11.x are end-of-life. WatchGuard has observed active exploitation attempts from several IP addresses, some of which are linked to recent Fortinet vulnerabilities. The company has provided indicators of compromise (IoCs) and temporary mitigation steps for affected devices.

Open in new tab

Active Exploitation of Unpatched Cisco AsyncOS Zero-Day in SEG and SEWM Appliances

Cisco has identified an unpatched, critical zero-day vulnerability (CVE-2025-20393) in AsyncOS, affecting Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. The flaw is actively exploited by a Chinese threat group, UAT-9686, to deploy backdoors and other malware. The attacks have been ongoing since at least late November 2025. Cisco has released security updates for the vulnerability and recommends securing and restricting access to vulnerable appliances. The vulnerability allows threat actors to execute arbitrary commands with root privileges and deploy tools like AquaShell, AquaTunnel, Chisel, and AquaPurge. CISA has added CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) catalog, requiring FCEB agencies to apply mitigations by December 24, 2025. Additionally, GreyNoise detected a coordinated campaign targeting enterprise VPN infrastructure, including Cisco SSL VPN and Palo Alto Networks GlobalProtect portals.

Open in new tab