Over the past two months, three authentication bypass vulnerabilities affecting Fortinet products using the FortiCloud Single Sign-On (SSO) mechanism have been identified: CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858. The first two were discovered during a code audit, with CVE-2025-59718 already listed in CISA’s Known Exploited Vulnerabilities Catalog, while the third was found during an investigation of unauthorized activity. These vulnerabilities allow an attacker possessing a valid FortiCloud account to bypass authentication controls and gain unauthorized access to FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb devices if SSO is enabled. This access could enable attackers to perform critical administrative actions such as creating new accounts, exporting device configurations, or logging in from new or public IP addresses. To detect exploitation attempts, Kaspersky has released a set of SIEM correlation rules within their Unified Monitoring and Analysis Platform. These rules monitor indicators of compromise including suspicious source IP addresses, unusual usernames, new account creations, and critical administrative activities following suspicious logins. The rules are grouped into three categories: IOC detection, monitoring critical admin actions, and suspicious activity correlation. Some rules may generate false positives and require tuning by excluding known legitimate IPs and accounts. Kaspersky recommends using these rules for both real-time detection and retrospective threat hunting, with a suggested analysis period starting December 2025. Proper event normalization and inclusion of detailed event data are essential for effective detection. No public exploits are currently known, but the vulnerabilities represent a significant risk due to the potential for unauthorized administrative access to critical network infrastructure components.

For European organizations, exploitation of these FortiCloud SSO vulnerabilities could lead to unauthorized administrative access to critical network security devices, including firewalls, proxies, and web application firewalls. This unauthorized access could result in compromise of network confidentiality, integrity, and availability by enabling attackers to alter configurations, create backdoor accounts, exfiltrate sensitive data, or disrupt network operations. Organizations relying heavily on Fortinet products with SSO enabled, especially in sectors such as finance, telecommunications, government, and critical infrastructure, face elevated risk. The ability to bypass authentication without exploiting device-level vulnerabilities but rather leveraging FortiCloud credentials increases the attack surface, especially if credential hygiene is poor or if attackers gain access to FortiCloud accounts via phishing or credential stuffing. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits or leverage these vulnerabilities in targeted attacks. Detection and mitigation are critical to prevent potential lateral movement and persistence within enterprise networks.

European organizations should immediately deploy the Kaspersky SIEM correlation rules package '[OOTB] FortiCloud SSO abuse package – ENG' to detect suspicious activities related to FortiCloud SSO exploitation attempts. Ensure comprehensive and normalized logging from all Fortinet devices (FortiOS, FortiManager, FortiAnalyzer, FortiProxy, FortiWeb) with SSO enabled, including populating the 'Extra' field for enriched event context. Conduct retrospective analysis starting from December 2025 to identify any past exploitation attempts. Tune detection rules to reduce false positives by whitelisting known legitimate administrative IP addresses and accounts. Enforce strict FortiCloud account security policies, including multi-factor authentication (MFA), strong password requirements, and monitoring for anomalous FortiCloud account activities. Limit the use of FortiCloud SSO where possible or apply additional network segmentation and access controls to restrict administrative access. Regularly update Fortinet devices with the latest security patches once available and monitor vendor advisories for patch releases addressing these vulnerabilities. Finally, integrate Fortinet device logs with broader enterprise threat detection platforms to correlate suspicious activities across the environment.