FORTINET has confirmed that attacks are bypassing FortiCloud SSO on devices that are fully patched, with threat actors automating firewall changes, adding users, enabling VPNs and exfiltrating configurations in campaigns that mirror earlier late-2025 activity.
Arctic Wolf researchers observed a new automated cluster from 15 January 2026 targeting FortiGate devices, creating generic accounts for persistence and exporting firewall configurations, in a pattern that resembles a December 2025 campaign involving admin SSO logins and config theft.
In December 2025 Fortinet disclosed two critical SSO authentication bypass flaws, tracked as CVE-2025-59718 and CVE-2025-59719, which involve improper verification of cryptographic signatures, and Fortinet noted attacks began exploiting these flaws days after patches were issued. Fortinet says a new attack path emerged after login exploits on fully updated devices, and it is developing a fix while an advisory is pending; all SAML SSO implementations may be affected.
For now, Fortinet has released IOCs to aid threat hunting and urges customers to restrict admin access, limit it to local IPs, and temporarily disable FortiCloud SSO as a workaround. According to the advisory, Fortinet emphasises that while exploitation of FortiCloud SSO has been observed, the issue is applicable to all SAML SSO implementations.