FORTINET has officially confirmed that it is working to fully plug a FortiCloud SSO authentication bypass vulnerability after reports of renewed exploitation on fully patched FortiGate firewalls. In a Thursday post, Fortinet Chief Information Security Officer (CISO) Carl Windsor said that in the last 24 hours a number of cases involved devices updated to the latest release at the time of the attack, suggesting a new attack path.
The activity amounts to a bypass of patches addressing CVE-2025-59718 and CVE-2025-59719, which could allow unauthenticated bypass of SSO login authentication via crafted SAML messages if FortiCloud SSO is enabled on affected devices. Earlier this week, reports emerged of renewed activity where malicious SSO logins targeted the admin account on patched FortiGate appliances, similar to incidents observed in December following the CVE disclosures.
The attacks involve creating generic accounts for persistence, granting VPN access to those accounts, and exfiltrating firewall configurations to different IP addresses, with threat actors observed logging in using cloud-noc@mail[.]io and cloud-init@mail[.]io; mitigations include restricting administrative internet access and disabling FortiCloud SSO logins by turning off admin-forticloud-sso-login.