Fortinet Confirms Active FortiCloud SSO Bypass on Patched Firewalls

Fortinet Confirms Active FortiCloud SSO Bypass on Fully Patched FortiGate Firewalls

Fortinet has confirmed continued exploitation of a FortiCloud SSO authentication bypass, despite previous patches (CVE-2025-59718 and CVE-2025-59719). The attacker is leveraging SAML abuse to bypass SSO login authentication on fully patched FortiGate devices.

Why This Matters

Ideal security models assume patches fully resolve vulnerabilities, but this incident demonstrates the persistence of real-world attack vectors. The potential impact is significant: successful exploitation allows attackers to gain administrative access, establish persistence, and exfiltrate sensitive firewall configurations, potentially compromising entire networks. The cost of remediation after a successful breach can easily exceed six figures, including incident response, data recovery, and reputational damage.

Key Insights

• CVE-2025-59718 & CVE-2025-59719: Originally addressed by Fortinet in December 2025, these vulnerabilities relate to SAML SSO authentication bypass.
• SAML Abuse: Attackers are exploiting weaknesses in the Security Assertion Markup Language (SAML) protocol to bypass authentication mechanisms.
• Persistence Tactics: Observed attacker accounts (“[email protected]”, “[email protected]”) are used to create generic accounts and establish VPN access.

Practical Applications

• Use Case: Organizations using FortiGate firewalls with FortiCloud SSO enabled are at risk of unauthorized access and configuration changes.
• Pitfall: Relying solely on patching without considering the underlying protocol vulnerabilities (like SAML) can lead to a false sense of security.

References:

• https://thehackernews.com/2026/01/fortinet-confirms-active-forticloud-sso.html