CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical Fortinet Vulnerabilities: FortiCloud SSO Bypass and FortiClientEMS SQLi Patched

First reported
Last updated
3 unique sources, 14 articles

Summary

Hide ▲

Fortinet has released patches for a **new critical SQL injection vulnerability (CVE-2026-21643, CVSS 9.1)** in FortiClientEMS, which allows unauthenticated attackers to execute arbitrary code via crafted HTTP requests. The flaw affects FortiClientEMS 7.4.4 (fixed in 7.4.5) but does not impact versions 7.2 or 8.0. This follows Fortinet’s recent emergency updates for **CVE-2026-24858**, a critical FortiCloud SSO authentication bypass flaw (CVSS 9.4) actively exploited to create admin accounts, modify firewall configurations, and exfiltrate data. Over 25,000 Fortinet devices with FortiCloud SSO enabled remain exposed, with CISA mandating patches for federal agencies by January 30, 2026. Fortinet has also confirmed that CVE-2026-24858 was exploited via malicious FortiCloud accounts ('[email protected]', '[email protected]') to breach fully patched devices, prompting global SSO restrictions until fixes were deployed. The vulnerabilities stem from improper input validation (SQLi in FortiClientEMS; authentication bypass in FortiCloud SSO) and have been linked to automated attacks since January 15, 2026. Fortinet advises disabling FortiCloud SSO until patches are applied, restricting management interface access, and treating compromised systems as fully breached—requiring credential rotation and configuration restoration from clean backups. Patches for CVE-2026-24858 are available in FortiOS 7.4.11, FortiManager 7.4.10, and FortiAnalyzer 7.4.10, with additional fixes planned for older versions.

Timeline

  1. 10.02.2026 06:38 1 articles · 23h ago

    Fortinet patches critical unauthenticated SQLi in FortiClientEMS

    Fortinet has addressed a **critical SQL injection vulnerability (CVE-2026-21643, CVSS 9.1)** in FortiClientEMS that allows unauthenticated attackers to execute arbitrary code via crafted HTTP requests. The flaw impacts **FortiClientEMS 7.4.4** (fixed in 7.4.5) but does not affect versions 7.2 or 8.0. Discovered by Fortinet’s Gwendal Guégniaud, the vulnerability underscores ongoing risks from improper input validation in Fortinet products. While no in-the-wild exploitation is reported, users are urged to apply updates promptly to prevent potential remote code execution (RCE) attacks. This patch follows Fortinet’s recent fixes for **CVE-2026-24858**, the actively exploited FortiCloud SSO bypass flaw.

    Show sources
    Open in new tab
  2. 28.01.2026 10:05 2 articles · 13d ago

    Fortinet releases patches for CVE-2026-24858

    Fortinet has released emergency patches for **CVE-2026-24858**, a critical FortiCloud SSO authentication bypass vulnerability (CVSS 9.4) actively exploited in the wild. The flaw allows attackers with a FortiCloud account and a registered device to log into other customers’ devices if FortiCloud SSO is enabled, even on fully patched systems. Exploitation has been linked to automated attacks creating admin accounts (e.g., 'audit', 'backupadmin'), granting VPN access, and exfiltrating firewall configurations via malicious accounts like '[email protected]' and '[email protected]'. Patches are now available in **FortiOS 7.4.11**, **FortiManager 7.4.10**, and **FortiAnalyzer 7.4.10**, with additional fixes planned for older versions (e.g., FortiOS 7.2.13, 7.0.19). Fortinet briefly disabled FortiCloud SSO globally (January 26–27, 2026) to mitigate attacks, restricting access to patched devices only. The U.S. CISA added CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to remediate by **January 30, 2026**. Customers detecting indicators of compromise (IoCs) are advised to treat devices as fully breached, rotate credentials, and restore configurations from clean backups.

    Show sources
    Open in new tab
  3. 28.01.2026 01:19 3 articles · 14d ago

    Fortinet confirms new critical FortiCloud SSO authentication bypass vulnerability CVE-2026-24858

    Fortinet has confirmed a new, actively exploited critical FortiCloud SSO authentication bypass vulnerability, tracked as CVE-2026-24858. The flaw allows attackers to gain administrative access to FortiOS, FortiManager, and FortiAnalyzer devices registered to other customers, even when those devices were fully patched against a previously disclosed vulnerability. Fortinet has mitigated the zero-day attacks by blocking FortiCloud SSO connections from devices running vulnerable firmware versions. Fortinet confirmed that attackers were exploiting an alternate authentication path that remained even on fully patched systems. Fortinet disabled FortiCloud accounts being abused by attackers on January 22 and disabled FortiCloud SSO globally on January 26. Fortinet restored FortiCloud SSO access on January 27 but restricted it so that devices running vulnerable firmware can no longer authenticate via SSO. The vulnerability is "Authentication Bypass Using an Alternate Path or Channel," caused by improper access control in FortiCloud SSO. Attackers with a FortiCloud account and a registered device could authenticate to other customers' devices if FortiCloud SSO was enabled. Fortinet confirmed the vulnerability was exploited in the wild by the malicious FortiCloud SSO accounts '[email protected]' and '[email protected]'. Once a device was breached, attackers would download customer config files and create one of the following admin accounts: audit, backup, itadmin, secadmin, support, backupadmin, deploy, remoteadmin, security, svcadmin, system. Connections were made from the following IP addresses: 104.28.244.115, 104.28.212.114, 104.28.212.115, 104.28.195.105, 104.28.195.106, 104.28.227.106, 104.28.227.105, 104.28.244.114, 37.1.209.19, 217.119.139.50. Fortinet is still investigating whether FortiWeb and FortiSwitch Manager are affected by the flaw. Customers who detect indicators of compromise in their logs should treat their devices as fully compromised, review all administrator accounts, restore configurations from known-clean backups, and rotate all credentials.

    Show sources
    Open in new tab
  4. 22.01.2026 07:55 8 articles · 19d ago

    New automated attacks alter firewall configurations on FortiGate devices

    A new cluster of automated malicious activity began on January 15, 2026, involving unauthorized firewall configuration changes on FortiGate devices. The activity includes the creation of generic accounts for persistence, configuration changes granting VPN access, and exfiltration of firewall configurations. Malicious SSO logins were carried out against a malicious account '[email protected]' from four different IP addresses: 104.28.244.115, 104.28.212.114, 217.119.139.50, and 37.1.209.19. Threat actors created secondary accounts such as 'secadmin', 'itadmin', 'support', 'backup', 'remoteadmin', and 'audit' for persistence. All events took place within seconds of each other, indicating the possibility of automated activity. Arctic Wolf reported that the campaign started on January 15, 2026, with attackers exploiting an unknown vulnerability in the SSO feature to create accounts with VPN access and exporting firewall configurations within seconds, indicating automated activity. Arctic Wolf noted that the current campaign bears similarity to incidents documented in December following the disclosure of CVE-2025-59718. The attacks originated from a small number of hosting providers and typically targeted the [email protected] account. Within seconds after login, the attackers exported device configurations, likely through automation. It is unclear whether the activity is fully covered by the patch that initially addressed CVE-2025-59718 and CVE-2025-59719. The recent exploitation activity involves the creation of generic accounts for persistence, making configuration changes to grant VPN access, and exfiltrating firewall configurations. The threat actors have been observed logging in with accounts named '[email protected]' and '[email protected]'.

    Show sources
    Open in new tab
  5. 19.12.2025 17:00 6 articles · 1mo ago

    Over 25,000 Fortinet devices exposed to FortiCloud SSO attacks

    Over 25,000 Fortinet devices with FortiCloud SSO enabled are exposed online, with more than 5,400 in the United States and nearly 2,000 in India. Shadowserver and Macnica threat researcher Yutaka Sejiyama have identified these devices, highlighting the widespread exposure. CISA has added the vulnerability to its catalog of actively exploited vulnerabilities, mandating U.S. government agencies to patch by December 23rd. Internet security watchdog Shadowserver is currently tracking nearly 11,000 Fortinet devices that are exposed online and have FortiCloud SSO enabled.

    Show sources
    Open in new tab
  6. 16.12.2025 12:58 12 articles · 1mo ago

    Active exploitation of FortiCloud SSO authentication bypass vulnerabilities

    Threat actors have begun exploiting CVE-2025-59718 and CVE-2025-59719 in active attacks on FortiGate devices. Attackers used IP addresses associated with hosting providers like The Constant Company llc, Bl Networks, and Kaopu Cloud Hk Limited to carry out malicious SSO logins and export device configurations. Attackers targeted admin accounts, accessed the web management interface, and downloaded system configuration files, which can expose network layouts, internet-facing services, firewall policies, potentially vulnerable interfaces, routing tables, and hashed passwords. Recent reports indicate that attackers have exploited the vulnerability via maliciously crafted SAML messages to compromise admin accounts, creating new admin users such as 'helpdesk'. The IP address 104.28.244.114 has been used in recent exploitation attempts. A new cluster of automated malicious activity began on January 15, 2026, involving unauthorized firewall configuration changes on FortiGate devices. The activity includes the creation of generic accounts for persistence, configuration changes granting VPN access, and exfiltration of firewall configurations. Malicious SSO logins were carried out against a malicious account '[email protected]' from four different IP addresses: 104.28.244.115, 104.28.212.114, 217.119.139.50, and 37.1.209.19. Threat actors created secondary accounts such as 'secadmin', 'itadmin', 'support', 'backup', 'remoteadmin', and 'audit' for persistence. All events took place within seconds of each other, indicating the possibility of automated activity. Arctic Wolf reported that the campaign started on January 15, 2026, with attackers exploiting an unknown vulnerability in the SSO feature to create accounts with VPN access and exporting firewall configurations within seconds, indicating automated activity. Arctic Wolf noted that the current campaign bears similarity to incidents documented in December following the disclosure of CVE-2025-59718. Affected Fortinet customers shared logs showing that the attackers created admin users after an SSO login from [email protected] on IP address 104.28.244.114, which matches indicators of compromise detected by Arctic Wolf. The recent exploitation activity involves the creation of generic accounts for persistence, making configuration changes to grant VPN access, and exfiltrating firewall configurations. The threat actors have been observed logging in with accounts named '[email protected]' and '[email protected]'.

    Show sources
    Open in new tab
  7. 09.12.2025 20:36 12 articles · 2mo ago

    Fortinet patches critical FortiCloud SSO authentication bypass vulnerabilities

    Fortinet has released updates to address two critical vulnerabilities (CVE-2025-59718 and CVE-2025-59719) in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager that allow attackers to bypass FortiCloud SSO authentication via maliciously crafted SAML messages. The vulnerabilities stem from improper verification of cryptographic signatures. The FortiCloud SSO login feature is not enabled by default but is activated upon FortiCare registration unless explicitly disabled by the administrator. However, FortiOS version 7.4.10 does not fully address the authentication bypass vulnerability, and Fortinet is planning to release FortiOS 7.4.11, 7.6.6, and 8.0.0 to fully patch the security flaw. Multiple users reported seeing malicious SSO logins on fully-patched FortiOS devices, with the Fortinet developer team confirming the vulnerability persists in version 7.4.10. Affected admins reported that Fortinet confirmed the latest FortiOS version (7.4.10) does not fully address the authentication bypass flaw, which should have been patched since early December with the release of FortiOS 7.4.9. Fortinet is planning to release FortiOS 7.4.11, 7.6.6, and 8.0.0 over the coming days to fully address the CVE-2025-59718 security flaw. Fortinet's CISO Carl Windsor confirmed that the ongoing attacks match December's malicious activity and that the issue is applicable to all SAML SSO implementations. Fortinet advised customers to restrict administrative access to their edge network devices via the Internet by applying a local-in policy that limits the IP addresses that can access the devices' administrative interfaces. Fortinet recommended disabling the FortiCloud SSO feature on their devices by toggling off the "Allow administrative login using FortiCloud SSO" option. Affected customers are advised to treat the system and configuration as compromised, rotate credentials, and restore their configuration with a known clean version if IOCs are detected. Fortinet has confirmed that the FortiCloud SSO authentication bypass vulnerability is still being actively exploited on fully-patched FortiGate firewalls. The recent exploitation activity involves the creation of generic accounts for persistence, making configuration changes to grant VPN access, and exfiltrating firewall configurations. The threat actors have been observed logging in with accounts named '[email protected]' and '[email protected]'. Fortinet has advised restricting administrative access to edge network devices via the internet by applying a local-in policy and disabling FortiCloud SSO logins by disabling the 'admin-forticloud-sso-login' option.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Fortinet Firewalls Exploited via Incompletely Patched Flaws

Fortinet confirmed ongoing exploitation of an improperly patched vulnerability in FortiCloud SSO authentication, affecting fully updated firewalls. The flaw, related to CVE-2025-59718 and CVE-2025-59719, allows unauthenticated bypass of SSO login via crafted SAML messages. Fortinet advises disabling FortiCloud SSO and restricting administrative access as mitigations. The vulnerability highlights the risks of incomplete patches and the evolving tactics of attackers targeting trusted network security tools.

Open in new tab

Critical Fortinet FortiSIEM Flaw Exploited in the Wild

A critical vulnerability in Fortinet FortiSIEM (CVE-2025-64155, CVSS 9.4) is under active exploitation. The flaw allows unauthenticated attackers to execute arbitrary code or commands via crafted TCP requests. The vulnerability comprises two issues: an unauthenticated argument injection leading to arbitrary file write and remote code execution as the admin user, and a file overwrite privilege escalation leading to root access. The affected phMonitor service is deeply embedded in FortiSIEM's operational workflow, making successful exploitation grant full control of the appliance. This vulnerability poses a significant risk to organizations using FortiSIEM, as it can lead to complete compromise of the appliance. Fortinet users are advised to apply patches and monitor their systems for any signs of exploitation.

Open in new tab

Active Exploitation of FortiOS SSL VPN 2FA Bypass Vulnerability (CVE-2020-12812)

Fortinet has reported active exploitation of a five-year-old vulnerability (CVE-2020-12812) in FortiOS SSL VPN, which allows attackers to bypass two-factor authentication (2FA) under specific configurations. The flaw, affecting certain setups with local and remote authentication methods, has been observed in the wild by multiple threat actors, including state-backed hackers. Fortinet has issued an advisory detailing the prerequisites for exploitation and recommended mitigations. The FBI and CISA have also warned about the exploitation of this vulnerability in ransomware attacks.

Open in new tab

Active Exploitation of Critical WatchGuard Fireware OS VPN Vulnerability (CVE-2025-14733)

WatchGuard has released patches for a critical out-of-bounds write vulnerability (CVE-2025-14733, CVSS 9.3) in Fireware OS, which is being actively exploited in the wild. The flaw affects the iked process and could allow remote unauthenticated attackers to execute arbitrary code. The vulnerability impacts various versions of Fireware OS, including 2025.1, 12.x, 12.5.x, and 12.3.1, while versions 11.x are end-of-life. WatchGuard has observed active exploitation attempts from several IP addresses, some of which are linked to recent Fortinet vulnerabilities. The company has provided indicators of compromise (IoCs) and temporary mitigation steps for affected devices.

Open in new tab

Active Exploitation of Unpatched Cisco AsyncOS Zero-Day in SEG and SEWM Appliances

Cisco has identified an unpatched, critical zero-day vulnerability (CVE-2025-20393) in AsyncOS, affecting Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. The flaw is actively exploited by a Chinese threat group, UAT-9686, to deploy backdoors and other malware. The attacks have been ongoing since at least late November 2025. Cisco has released security updates for the vulnerability and recommends securing and restricting access to vulnerable appliances. The vulnerability allows threat actors to execute arbitrary commands with root privileges and deploy tools like AquaShell, AquaTunnel, Chisel, and AquaPurge. CISA has added CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) catalog, requiring FCEB agencies to apply mitigations by December 24, 2025. Additionally, GreyNoise detected a coordinated campaign targeting enterprise VPN infrastructure, including Cisco SSL VPN and Palo Alto Networks GlobalProtect portals.

Open in new tab