**Fortinet Warns of Active FortiCloud SSO Bypass Affecting Updated Devices**

Fortinet has confirmed that active attacks are bypassing FortiCloud SSO authentication, even on fully patched devices, in a scenario eerily similar to recent SSO flaws. The company's warning comes as threat actors continue to exploit vulnerabilities in its products.

The attacks involve automating firewall changes, adding users, enabling VPNs, and stealing configurations, all of which are hallmarks of a sophisticated campaign. Arctic Wolf researchers have reported observing a new automated attack cluster since January 15, 2026, targeting FortiGate devices. The attackers created generic accounts for persistence, enabled VPN access, and exfiltrated firewall configurations.

This activity bears an uncanny resemblance to a December 2025 campaign involving admin SSO logins and config theft. Arctic Wolf has detections in place and is closely monitoring the evolving threat.

According to Arctic Wolf's report, "Starting on January 15, 2026, Arctic Wolf began observing a new cluster of automated malicious activity involving unauthorized firewall configuration changes on FortiGate devices." The report continues, "This activity involved the creation of generic accounts intended for persistence, configuration changes granting VPN access to those accounts, as well as exfiltration of firewall configurations."

Fortinet had previously disclosed two critical SSO authentication bypass flaws, tracked as CVE-2025-59718 and CVE-2025-59719, which are improper verification of cryptographic signature issues. Threat actors began exploiting the two critical flaws in Fortinet products just days after patch release, Arctic Wolf warned.

Arctic Wolf researchers observed attackers started exploiting critical Fortinet authentication bypass flaws on December 12, just three days after patches were issued. The attacks involved malicious SSO logins on FortiGate devices, mainly targeting admin accounts from multiple hosting providers.

After gaining access, the attackers exported device configurations via the GUI. These files include hashed credentials, which threat actors can attempt to crack offline, increasing the risk of further compromise. Recent intrusions show malicious SSO logins from a small set of hosting providers, often targeting the [email protected] account.

Fortinet confirmed that attacks succeeded even against devices patched for CVE-2025-59718 and CVE-2025-59719. The company identified a new attack path after observing login exploits on fully updated devices. A fix is in progress, an advisory is pending, and all SAML SSO implementations may be affected.

Fortinet's advisory states, "Recently, a small number of customers reported unexpected login activity occurring on their devices, which appeared very similar to the previous issue. However, in the last 24 hours, we have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path." The advisory continues, "Fortinet product security has identified the issue, and the company is working on a fix to remediate this occurrence. An advisory will be issued as the fix scope and timeline is available."

Fortinet emphasizes that while only exploitation of FortiCloud SSO has been observed, this issue applies to all SAML SSO implementations.

**Mitigation Steps:**

* Restrict admin access to local IPs * Temporarily disable FortiCloud SSO as a workaround * Monitor for suspicious activity and follow the recommended mitigation steps

**Follow me on Twitter:** @securityaffairs **and Facebook and Mastodon**