Fortinet Confirms Active FortiCloud SSO Bypass on Fully Patched FortiGate Firewalls
Fortinet has confirmed an active authentication bypass vulnerability affecting FortiCloud SSO on fully patched FortiGate firewalls. Despite recent patches for CVE-2025-59718 and CVE-2025-59719, attackers have exploited a new attack vector to bypass SSO authentication without credentials. The threat actors gain unauthorized admin access, create persistent generic accounts, modify configurations to grant VPN access, and exfiltrate firewall configurations. Fortinet recommends disabling FortiCloud SSO login and restricting administrative access via local-in policies. This vulnerability impacts all SAML SSO implementations, not just FortiCloud. The exploitation requires no authentication and affects critical network security devices, posing risks to confidentiality, integrity, and availability. European organizations relying on FortiGate firewalls with FortiCloud SSO enabled should urgently apply mitigations. Countries with high Fortinet market penetration and critical infrastructure are most at risk. The severity is assessed as high due to the ease of exploitation and potential for significant operational disruption.
AI Analysis
Technical Summary
Fortinet has acknowledged an active authentication bypass vulnerability targeting the FortiCloud Single Sign-On (SSO) feature on FortiGate firewalls, including devices fully patched against previously disclosed vulnerabilities CVE-2025-59718 and CVE-2025-59719. These earlier CVEs involved unauthenticated bypass of SSO login via crafted SAML messages. However, recent exploitation activity indicates attackers have discovered a new attack path that circumvents the existing patches, allowing unauthorized access to administrative accounts without valid credentials. The attackers leverage this bypass to log in as admin, create generic persistent accounts, alter firewall configurations to grant VPN access to these accounts, and exfiltrate sensitive firewall configuration data to external IP addresses. The threat actors have been observed using accounts such as "cloud-noc@mail.io" and "cloud-init@mail.io" for these activities. Fortinet’s CISO Carl Windsor confirmed these incidents and emphasized that while exploitation currently targets FortiCloud SSO, the underlying issue affects all SAML SSO implementations, highlighting a broader risk. Fortinet recommends immediate mitigation steps including disabling the "admin-forticloud-sso-login" feature and applying local-in policies to restrict administrative access from the internet. The vulnerability impacts critical network security infrastructure, potentially allowing attackers to gain persistent, unauthorized administrative control over firewalls, which could lead to further network compromise, data exfiltration, and disruption of services.
Potential Impact
For European organizations, this vulnerability poses a significant threat to network security and operational continuity. FortiGate firewalls are widely deployed across enterprises, government agencies, and critical infrastructure sectors in Europe, making the impact potentially widespread. Unauthorized administrative access can lead to the creation of backdoor accounts, unauthorized VPN access, and exfiltration of sensitive firewall configurations, which may contain network topology and security policy information. This can facilitate lateral movement within networks, data breaches, and disruption of security controls. The bypass affects confidentiality by exposing sensitive configuration data, integrity by allowing unauthorized configuration changes, and availability by potentially disrupting firewall operations or enabling denial of service. Given the ease of exploitation without authentication and no user interaction, attackers can rapidly compromise vulnerable devices. The impact is exacerbated in sectors with stringent regulatory requirements such as finance, healthcare, and critical infrastructure, where firewall compromise can have cascading effects on national security and public safety.
Mitigation Recommendations
European organizations should immediately implement the following specific mitigations: 1) Disable the FortiCloud SSO login feature by setting "admin-forticloud-sso-login" to disabled to prevent exploitation of the bypass. 2) Apply strict local-in policies to restrict administrative access to FortiGate firewalls from the internet, limiting it to trusted management networks only. 3) Conduct thorough audits of firewall user accounts to identify and remove any unauthorized or suspicious accounts, especially those resembling "cloud-noc@mail.io" or "cloud-init@mail.io." 4) Monitor firewall logs for unusual administrative login activity and configuration changes, employing SIEM tools with alerting for anomalous behavior. 5) Review and tighten VPN access policies to prevent unauthorized account usage. 6) Engage with Fortinet support for any updated patches or hotfixes addressing this new attack vector as they become available. 7) Educate network security teams about the risks associated with SAML SSO implementations and consider additional multi-factor authentication layers where feasible. 8) Implement network segmentation to limit the impact of compromised firewalls. These measures go beyond generic advice by focusing on configuration changes, active monitoring, and account hygiene tailored to this specific threat.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Sweden, Poland, Switzerland
Fortinet Confirms Active FortiCloud SSO Bypass on Fully Patched FortiGate Firewalls
Description
Fortinet has confirmed an active authentication bypass vulnerability affecting FortiCloud SSO on fully patched FortiGate firewalls. Despite recent patches for CVE-2025-59718 and CVE-2025-59719, attackers have exploited a new attack vector to bypass SSO authentication without credentials. The threat actors gain unauthorized admin access, create persistent generic accounts, modify configurations to grant VPN access, and exfiltrate firewall configurations. Fortinet recommends disabling FortiCloud SSO login and restricting administrative access via local-in policies. This vulnerability impacts all SAML SSO implementations, not just FortiCloud. The exploitation requires no authentication and affects critical network security devices, posing risks to confidentiality, integrity, and availability. European organizations relying on FortiGate firewalls with FortiCloud SSO enabled should urgently apply mitigations. Countries with high Fortinet market penetration and critical infrastructure are most at risk. The severity is assessed as high due to the ease of exploitation and potential for significant operational disruption.
AI-Powered Analysis
Technical Analysis
Fortinet has acknowledged an active authentication bypass vulnerability targeting the FortiCloud Single Sign-On (SSO) feature on FortiGate firewalls, including devices fully patched against previously disclosed vulnerabilities CVE-2025-59718 and CVE-2025-59719. These earlier CVEs involved unauthenticated bypass of SSO login via crafted SAML messages. However, recent exploitation activity indicates attackers have discovered a new attack path that circumvents the existing patches, allowing unauthorized access to administrative accounts without valid credentials. The attackers leverage this bypass to log in as admin, create generic persistent accounts, alter firewall configurations to grant VPN access to these accounts, and exfiltrate sensitive firewall configuration data to external IP addresses. The threat actors have been observed using accounts such as "cloud-noc@mail.io" and "cloud-init@mail.io" for these activities. Fortinet’s CISO Carl Windsor confirmed these incidents and emphasized that while exploitation currently targets FortiCloud SSO, the underlying issue affects all SAML SSO implementations, highlighting a broader risk. Fortinet recommends immediate mitigation steps including disabling the "admin-forticloud-sso-login" feature and applying local-in policies to restrict administrative access from the internet. The vulnerability impacts critical network security infrastructure, potentially allowing attackers to gain persistent, unauthorized administrative control over firewalls, which could lead to further network compromise, data exfiltration, and disruption of services.
Potential Impact
For European organizations, this vulnerability poses a significant threat to network security and operational continuity. FortiGate firewalls are widely deployed across enterprises, government agencies, and critical infrastructure sectors in Europe, making the impact potentially widespread. Unauthorized administrative access can lead to the creation of backdoor accounts, unauthorized VPN access, and exfiltration of sensitive firewall configurations, which may contain network topology and security policy information. This can facilitate lateral movement within networks, data breaches, and disruption of security controls. The bypass affects confidentiality by exposing sensitive configuration data, integrity by allowing unauthorized configuration changes, and availability by potentially disrupting firewall operations or enabling denial of service. Given the ease of exploitation without authentication and no user interaction, attackers can rapidly compromise vulnerable devices. The impact is exacerbated in sectors with stringent regulatory requirements such as finance, healthcare, and critical infrastructure, where firewall compromise can have cascading effects on national security and public safety.
Mitigation Recommendations
European organizations should immediately implement the following specific mitigations: 1) Disable the FortiCloud SSO login feature by setting "admin-forticloud-sso-login" to disabled to prevent exploitation of the bypass. 2) Apply strict local-in policies to restrict administrative access to FortiGate firewalls from the internet, limiting it to trusted management networks only. 3) Conduct thorough audits of firewall user accounts to identify and remove any unauthorized or suspicious accounts, especially those resembling "cloud-noc@mail.io" or "cloud-init@mail.io." 4) Monitor firewall logs for unusual administrative login activity and configuration changes, employing SIEM tools with alerting for anomalous behavior. 5) Review and tighten VPN access policies to prevent unauthorized account usage. 6) Engage with Fortinet support for any updated patches or hotfixes addressing this new attack vector as they become available. 7) Educate network security teams about the risks associated with SAML SSO implementations and consider additional multi-factor authentication layers where feasible. 8) Implement network segmentation to limit the impact of compromised firewalls. These measures go beyond generic advice by focusing on configuration changes, active monitoring, and account hygiene tailored to this specific threat.
Technical Details
- Article Source
- {"url":"https://thehackernews.com/2026/01/fortinet-confirms-active-forticloud-sso.html","fetched":true,"fetchedAt":"2026-01-23T20:40:38.479Z","wordCount":872}
Threat ID: 6973dcc84623b1157c62f844
Added to database: 1/23/2026, 8:40:40 PM
Last enriched: 1/23/2026, 8:40:58 PM
Last updated: 1/24/2026, 9:11:49 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CISA Updates KEV Catalog with Four Actively Exploited Software Vulnerabilities
LowSmarterMail Auth Bypass Exploited in the Wild Two Days After Patch Release
LowCERT/CC Warns binary-parser Bug Allows Node.js Privilege-Level Code Execution
LowCISA Flags Microsoft Office and HPE OneView Bugs as Actively Exploited
LowCisco Patches ISE Security Vulnerability After Public PoC Exploit Release
LowActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.