FORTINET on Thursday confirmed that recent attacks are bypassing FortiCloud single sign-on (SSO) login authentication on devices fully patched against recent vulnerabilities. Leveraging automation, hackers are making configuration changes to FortiGate firewalls to add new user accounts, enable VPN access, and exfiltrate device configuration files, according to Fortinet.
The campaign resembles December 2025 attacks targeting CVE-2025-59718 and CVE-2025-59719, two critical-severity defects affecting the FortiCloud SSO login feature of FortiOS, FortiWeb, FortiProxy, and FortiSwitch Manager devices. Fortinet released fixes for the two flaws in early December, warning that crafted SAML response messages could be used to bypass authentication on instances that have the FortiCloud SSO login feature enabled.
On Thursday, Fortinet confirmed previous fears that the attacks were successful even against devices that had been fully upgraded to the latest release at the time of the attack, suggesting a new attack path. It is advised to block administrative access to edge devices from the internet and consider disabling the FortiCloud SSO feature as a workaround, alongside applying the IOC guidance Fortinet has shared.