CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical Fortinet Vulnerabilities: FortiCloud SSO Bypass and FortiClientEMS SQLi Patched

First reported
Last updated
4 unique sources, 18 articles

Summary

Hide ▲

Fortinet has released **emergency patches** for **CVE-2026-35616**, a critical **pre-authentication API access bypass** in FortiClient EMS 7.4.5/7.4.6, enabling unauthenticated attackers to execute arbitrary code via crafted requests. The flaw, described by Defused as a **zero-day vulnerability**, has been **actively exploited in the wild** since at least late March 2026, prompting CISA to add it to its **Known Exploited Vulnerabilities (KEV) catalog** on April 6, 2026, with a patching deadline of **April 9, 2026**, for U.S. federal agencies. Federal and private-sector organizations are urged to apply hotfixes immediately or upgrade to **FortiClientEMS 7.4.7** upon release. This follows the **active exploitation of CVE-2026-21643**, a critical SQL injection (CVSS 9.8) in FortiClientEMS, also under attack since late March. Nearly **1,000–2,000 FortiClient EMS instances** remain exposed online, primarily in the U.S. and Europe, with Shadowserver tracking ongoing scans. Fortinet warns that compromising EMS infrastructure allows attackers to **push malicious updates to endpoints**, escalating risks of ransomware, espionage, or destructive attacks. Earlier in 2026, Fortinet addressed **CVE-2026-24858**, a critical FortiCloud SSO authentication bypass (CVSS 9.4) exploited to hijack admin accounts and exfiltrate configurations from **over 25,000 exposed devices**. CISA mandated patches for federal agencies by **January 30, 2026**, while Fortinet temporarily disabled FortiCloud SSO to mitigate zero-day attacks. Organizations are advised to **disable FortiCloud SSO until patches are applied**, restrict management interface access, and treat compromised systems as fully breached—requiring credential rotation and configuration restoration.

Timeline

  1. 05.04.2026 21:45 3 articles · 2d ago

    Fortinet releases emergency patch for actively exploited FortiClient EMS access control flaw

    Fortinet released an **emergency security update** on **April 5, 2026**, for **CVE-2026-35616**, a critical **pre-authentication API access bypass** in FortiClient EMS 7.4.5 and 7.4.6. The flaw allows **unauthenticated attackers to execute code or commands** via specially crafted requests, bypassing authentication entirely. Fortinet confirmed **active zero-day exploitation in the wild**, with Defused reporting attacks **earlier in the week** (late March–early April 2026). The vulnerability was described as enabling attackers to **bypass API authentication and authorization entirely**, posing severe risks to endpoint management infrastructure. CISA added CVE-2026-35616 to its **Known Exploited Vulnerabilities (KEV) catalog** on **April 6, 2026**, ordering **Federal Civilian Executive Branch (FCEB) agencies** to patch by **April 9, 2026**. Shadowserver identified **over 2,000 exposed FortiClient EMS instances**, primarily in the **U.S. and Europe**, as of April 2026. Fortinet **urged immediate application of hotfixes** for 7.4.5/7.4.6 or an upgrade to **7.4.7** upon release, warning that compromised EMS systems could be used to **push malicious updates to endpoints** for ransomware, espionage, or destructive attacks. The article also highlights **CVE-2026-21643**, a critical **SQL injection flaw (CVSS 9.8)** in FortiClientEMS, actively exploited since late March. New **indicators of compromise (IoCs)** include **HTTP 500 errors on `/api/v1/init_consts`**, unusual PostgreSQL database errors, and unauthorized remote monitoring tools. Customers are advised to upgrade to **7.4.5+** or isolate administrative interfaces from the internet.

    Show sources
    Open in new tab
  2. 10.02.2026 06:38 3 articles · 1mo ago

    Fortinet patches critical unauthenticated SQLi in FortiClientEMS

    Fortinet has addressed a **critical SQL injection vulnerability (CVE-2026-21643, CVSS 9.1)** in FortiClientEMS that allows unauthenticated attackers to execute arbitrary code via crafted HTTP requests targeting the 'Site' header. The flaw impacts **FortiClientEMS 7.4.4** (fixed in 7.4.5) but does not affect versions 7.2 or 8.0. Discovered by Fortinet’s Gwendal Guégniaud, the vulnerability is now confirmed to be **actively exploited in the wild**, with exploitation beginning at least four days prior to March 30, 2026. Nearly **1,000 FortiClient EMS instances** remain publicly exposed, primarily in the U.S. and Europe. This follows a **newly patched critical access control flaw (CVE-2026-35616)** in FortiClient EMS 7.4.5/7.4.6, also under active exploitation, which allows unauthenticated attackers to bypass authentication and execute commands via crafted API requests. Fortinet released **emergency hotfixes on April 5, 2026**, crediting Defused and Nguyen Duc Anh for the discovery. Shadowserver tracks **over 2,000 exposed FortiClient EMS instances** as of April 2026, with the majority in the U.S. and Germany. Customers are urged to apply hotfixes immediately or upgrade to **FortiClientEMS 7.4.7** upon release.

    Show sources
    Open in new tab
  3. 28.01.2026 10:05 2 articles · 2mo ago

    Fortinet releases patches for CVE-2026-24858

    Fortinet has released emergency patches for **CVE-2026-24858**, a critical FortiCloud SSO authentication bypass vulnerability (CVSS 9.4) actively exploited in the wild. The flaw allows attackers with a FortiCloud account and a registered device to log into other customers’ devices if FortiCloud SSO is enabled, even on fully patched systems. Exploitation has been linked to automated attacks creating admin accounts (e.g., 'audit', 'backupadmin'), granting VPN access, and exfiltrating firewall configurations via malicious accounts like '[email protected]' and '[email protected]'. Patches are now available in **FortiOS 7.4.11**, **FortiManager 7.4.10**, and **FortiAnalyzer 7.4.10**, with additional fixes planned for older versions (e.g., FortiOS 7.2.13, 7.0.19). Fortinet briefly disabled FortiCloud SSO globally (January 26–27, 2026) to mitigate attacks, restricting access to patched devices only. The U.S. CISA added CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to remediate by **January 30, 2026**. Customers detecting indicators of compromise (IoCs) are advised to treat devices as fully breached, rotate credentials, and restore configurations from clean backups.

    Show sources
    Open in new tab
  4. 28.01.2026 01:19 3 articles · 2mo ago

    Fortinet confirms new critical FortiCloud SSO authentication bypass vulnerability CVE-2026-24858

    Fortinet has confirmed a new, actively exploited critical FortiCloud SSO authentication bypass vulnerability, tracked as CVE-2026-24858. The flaw allows attackers to gain administrative access to FortiOS, FortiManager, and FortiAnalyzer devices registered to other customers, even when those devices were fully patched against a previously disclosed vulnerability. Fortinet has mitigated the zero-day attacks by blocking FortiCloud SSO connections from devices running vulnerable firmware versions. Fortinet confirmed that attackers were exploiting an alternate authentication path that remained even on fully patched systems. Fortinet disabled FortiCloud accounts being abused by attackers on January 22 and disabled FortiCloud SSO globally on January 26. Fortinet restored FortiCloud SSO access on January 27 but restricted it so that devices running vulnerable firmware can no longer authenticate via SSO. The vulnerability is "Authentication Bypass Using an Alternate Path or Channel," caused by improper access control in FortiCloud SSO. Attackers with a FortiCloud account and a registered device could authenticate to other customers' devices if FortiCloud SSO was enabled. Fortinet confirmed the vulnerability was exploited in the wild by the malicious FortiCloud SSO accounts '[email protected]' and '[email protected]'. Once a device was breached, attackers would download customer config files and create one of the following admin accounts: audit, backup, itadmin, secadmin, support, backupadmin, deploy, remoteadmin, security, svcadmin, system. Connections were made from the following IP addresses: 104.28.244.115, 104.28.212.114, 104.28.212.115, 104.28.195.105, 104.28.195.106, 104.28.227.106, 104.28.227.105, 104.28.244.114, 37.1.209.19, 217.119.139.50. Fortinet is still investigating whether FortiWeb and FortiSwitch Manager are affected by the flaw. Customers who detect indicators of compromise in their logs should treat their devices as fully compromised, review all administrator accounts, restore configurations from known-clean backups, and rotate all credentials.

    Show sources
    Open in new tab
  5. 22.01.2026 07:55 8 articles · 2mo ago

    New automated attacks alter firewall configurations on FortiGate devices

    A new cluster of automated malicious activity began on January 15, 2026, involving unauthorized firewall configuration changes on FortiGate devices. The activity includes the creation of generic accounts for persistence, configuration changes granting VPN access, and exfiltration of firewall configurations. Malicious SSO logins were carried out against a malicious account '[email protected]' from four different IP addresses: 104.28.244.115, 104.28.212.114, 217.119.139.50, and 37.1.209.19. Threat actors created secondary accounts such as 'secadmin', 'itadmin', 'support', 'backup', 'remoteadmin', and 'audit' for persistence. All events took place within seconds of each other, indicating the possibility of automated activity. Arctic Wolf reported that the campaign started on January 15, 2026, with attackers exploiting an unknown vulnerability in the SSO feature to create accounts with VPN access and exporting firewall configurations within seconds, indicating automated activity. Arctic Wolf noted that the current campaign bears similarity to incidents documented in December following the disclosure of CVE-2025-59718. The attacks originated from a small number of hosting providers and typically targeted the [email protected] account. Within seconds after login, the attackers exported device configurations, likely through automation. It is unclear whether the activity is fully covered by the patch that initially addressed CVE-2025-59718 and CVE-2025-59719. The recent exploitation activity involves the creation of generic accounts for persistence, making configuration changes to grant VPN access, and exfiltrating firewall configurations. The threat actors have been observed logging in with accounts named '[email protected]' and '[email protected]'.

    Show sources
    Open in new tab
  6. 19.12.2025 17:00 6 articles · 3mo ago

    Over 25,000 Fortinet devices exposed to FortiCloud SSO attacks

    Over 25,000 Fortinet devices with FortiCloud SSO enabled are exposed online, with more than 5,400 in the United States and nearly 2,000 in India. Shadowserver and Macnica threat researcher Yutaka Sejiyama have identified these devices, highlighting the widespread exposure. CISA has added the vulnerability to its catalog of actively exploited vulnerabilities, mandating U.S. government agencies to patch by December 23rd. Internet security watchdog Shadowserver is currently tracking nearly 11,000 Fortinet devices that are exposed online and have FortiCloud SSO enabled.

    Show sources
    Open in new tab
  7. 16.12.2025 12:58 12 articles · 3mo ago

    Active exploitation of FortiCloud SSO authentication bypass vulnerabilities

    Threat actors have begun exploiting CVE-2025-59718 and CVE-2025-59719 in active attacks on FortiGate devices. Attackers used IP addresses associated with hosting providers like The Constant Company llc, Bl Networks, and Kaopu Cloud Hk Limited to carry out malicious SSO logins and export device configurations. Attackers targeted admin accounts, accessed the web management interface, and downloaded system configuration files, which can expose network layouts, internet-facing services, firewall policies, potentially vulnerable interfaces, routing tables, and hashed passwords. Recent reports indicate that attackers have exploited the vulnerability via maliciously crafted SAML messages to compromise admin accounts, creating new admin users such as 'helpdesk'. The IP address 104.28.244.114 has been used in recent exploitation attempts. A new cluster of automated malicious activity began on January 15, 2026, involving unauthorized firewall configuration changes on FortiGate devices. The activity includes the creation of generic accounts for persistence, configuration changes granting VPN access, and exfiltration of firewall configurations. Malicious SSO logins were carried out against a malicious account '[email protected]' from four different IP addresses: 104.28.244.115, 104.28.212.114, 217.119.139.50, and 37.1.209.19. Threat actors created secondary accounts such as 'secadmin', 'itadmin', 'support', 'backup', 'remoteadmin', and 'audit' for persistence. All events took place within seconds of each other, indicating the possibility of automated activity. Arctic Wolf reported that the campaign started on January 15, 2026, with attackers exploiting an unknown vulnerability in the SSO feature to create accounts with VPN access and exporting firewall configurations within seconds, indicating automated activity. Arctic Wolf noted that the current campaign bears similarity to incidents documented in December following the disclosure of CVE-2025-59718. Affected Fortinet customers shared logs showing that the attackers created admin users after an SSO login from [email protected] on IP address 104.28.244.114, which matches indicators of compromise detected by Arctic Wolf. The recent exploitation activity involves the creation of generic accounts for persistence, making configuration changes to grant VPN access, and exfiltrating firewall configurations. The threat actors have been observed logging in with accounts named '[email protected]' and '[email protected]'.

    Show sources
    Open in new tab
  8. 09.12.2025 20:36 12 articles · 3mo ago

    Fortinet patches critical FortiCloud SSO authentication bypass vulnerabilities

    Fortinet has released updates to address two critical vulnerabilities (CVE-2025-59718 and CVE-2025-59719) in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager that allow attackers to bypass FortiCloud SSO authentication via maliciously crafted SAML messages. The vulnerabilities stem from improper verification of cryptographic signatures. The FortiCloud SSO login feature is not enabled by default but is activated upon FortiCare registration unless explicitly disabled by the administrator. However, FortiOS version 7.4.10 does not fully address the authentication bypass vulnerability, and Fortinet is planning to release FortiOS 7.4.11, 7.6.6, and 8.0.0 to fully patch the security flaw. Multiple users reported seeing malicious SSO logins on fully-patched FortiOS devices, with the Fortinet developer team confirming the vulnerability persists in version 7.4.10. Affected admins reported that Fortinet confirmed the latest FortiOS version (7.4.10) does not fully address the authentication bypass flaw, which should have been patched since early December with the release of FortiOS 7.4.9. Fortinet is planning to release FortiOS 7.4.11, 7.6.6, and 8.0.0 over the coming days to fully address the CVE-2025-59718 security flaw. Fortinet's CISO Carl Windsor confirmed that the ongoing attacks match December's malicious activity and that the issue is applicable to all SAML SSO implementations. Fortinet advised customers to restrict administrative access to their edge network devices via the Internet by applying a local-in policy that limits the IP addresses that can access the devices' administrative interfaces. Fortinet recommended disabling the FortiCloud SSO feature on their devices by toggling off the "Allow administrative login using FortiCloud SSO" option. Affected customers are advised to treat the system and configuration as compromised, rotate credentials, and restore their configuration with a known clean version if IOCs are detected. Fortinet has confirmed that the FortiCloud SSO authentication bypass vulnerability is still being actively exploited on fully-patched FortiGate firewalls. The recent exploitation activity involves the creation of generic accounts for persistence, making configuration changes to grant VPN access, and exfiltrating firewall configurations. The threat actors have been observed logging in with accounts named '[email protected]' and '[email protected]'. Fortinet has advised restricting administrative access to edge network devices via the internet by applying a local-in policy and disabling FortiCloud SSO logins by disabling the 'admin-forticloud-sso-login' option.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Active exploitation of F5 BIG-IP RCE vulnerability CVE-2025-53521

CVE-2025-53521, initially disclosed as a DoS flaw in October 2025, has been reclassified as a critical RCE vulnerability (CVSS 9.8) following new exploitation activity in March 2026. Threat actors are actively exploiting the flaw by sending malicious traffic to virtual servers configured with BIG-IP AMP or systems in appliance mode to deploy webshells and other payloads. F5 has confirmed exploitation in the wild and published IOCs, while CISA added the flaw to its KEV catalog on March 28, 2026, mandating federal remediation within three days. Multiple actors are probing F5 infrastructure, with observed payload deviations and scanning targeting REST API endpoints. Shadowserver tracks over 240,000 exposed BIG-IP instances, and the NCSC has urged immediate patching in the UK due to confirmed exploitation activity. The flaw affects BIG-IP APM versions 15.1.0–15.1.10, 16.1.0–16.1.6, 17.1.0–17.1.2, and 17.5.0–17.5.1. Fixed versions (15.1.10.8, 16.1.6.1, 17.1.3, 17.5.1.3) are available, and F5 recommends forensic best practices including system rebuilding due to potential persistent malware in UCS backups.

Open in new tab

Fortinet Firewalls Exploited via Incompletely Patched Flaws

Fortinet confirmed ongoing exploitation of an improperly patched vulnerability in FortiCloud SSO authentication, affecting fully updated firewalls. The flaw, related to CVE-2025-59718 and CVE-2025-59719, allows unauthenticated bypass of SSO login via crafted SAML messages. Fortinet advises disabling FortiCloud SSO and restricting administrative access as mitigations. The vulnerability highlights the risks of incomplete patches and the evolving tactics of attackers targeting trusted network security tools.

Open in new tab

Critical Fortinet FortiSIEM Flaw Exploited in the Wild

A critical vulnerability in Fortinet FortiSIEM (CVE-2025-64155, CVSS 9.4) is under active exploitation. The flaw allows unauthenticated attackers to execute arbitrary code or commands via crafted TCP requests. The vulnerability comprises two issues: an unauthenticated argument injection leading to arbitrary file write and remote code execution as the admin user, and a file overwrite privilege escalation leading to root access. The affected phMonitor service is deeply embedded in FortiSIEM's operational workflow, making successful exploitation grant full control of the appliance. This vulnerability poses a significant risk to organizations using FortiSIEM, as it can lead to complete compromise of the appliance. Fortinet users are advised to apply patches and monitor their systems for any signs of exploitation.

Open in new tab

Active Exploitation of FortiOS SSL VPN 2FA Bypass Vulnerability (CVE-2020-12812)

Fortinet has reported active exploitation of a five-year-old vulnerability (CVE-2020-12812) in FortiOS SSL VPN, which allows attackers to bypass two-factor authentication (2FA) under specific configurations. The flaw, affecting certain setups with local and remote authentication methods, has been observed in the wild by multiple threat actors, including state-backed hackers. Fortinet has issued an advisory detailing the prerequisites for exploitation and recommended mitigations. The FBI and CISA have also warned about the exploitation of this vulnerability in ransomware attacks.

Open in new tab

Active Exploitation of Critical WatchGuard Fireware OS VPN Vulnerability (CVE-2025-14733)

WatchGuard has released patches for a critical out-of-bounds write vulnerability (CVE-2025-14733, CVSS 9.3) in Fireware OS, which is being actively exploited in the wild. The flaw affects the iked process and could allow remote unauthenticated attackers to execute arbitrary code. The vulnerability impacts various versions of Fireware OS, including 2025.1, 12.x, 12.5.x, and 12.3.1, while versions 11.x are end-of-life. WatchGuard has observed active exploitation attempts from several IP addresses, some of which are linked to recent Fortinet vulnerabilities. The company has provided indicators of compromise (IoCs) and temporary mitigation steps for affected devices.

Open in new tab