Fortinet confirms active exploitation of a FortiCloud SSO authentication bypass vulnerability, with a new automated campaign targeting even fully patched FortiGate devices.
Cybersecurity firm Arctic Wolf first observed the attacks on January 15, 2026, involving rapid configuration exfiltration and persistence via generic admin accounts.
In December 2025, Fortinet disclosed two critical vulnerabilities, CVE-2025-59718 and CVE-2025-59719 (FG-IR-25-647), enabling unauthenticated attackers to bypass SSO authentication using crafted SAML messages when FortiCloud SSO is enabled.
These flaws affect FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, allowing admin access without credentials. Patches were issued, but recent incidents on updated firmware like 7.4.10 indicate a persistent or variant issue applicable to all SAML SSO implementations.
Affected Versions
Fortinet’s PSIRT advisory details vulnerable versions and fixes.
| Product | Affected Versions | Solution |
|---|---|---|
| FortiOS 7.6 | 7.6.0 through 7.6.3 | 7.6.4 or above |
| FortiOS 7.4 | 7.4.0 through 7.4.8 | 7.4.9 or above |
| FortiOS 7.2 | 7.2.0 through 7.2.11 | 7.2.12 or above |
| FortiProxy 7.2 | 7.2.0 through 7.2.14 | 7.2.15 or above |
| FortiSwitchManager 7.2 | 7.2.0 through 7.2.6 | 7.2.7 or above |
Reports confirm exploitation on 7.4.9, 7.4.10, and 7.6.x, with fixes scheduled for later releases.
Attack Campaign Details
Arctic Wolf telemetry reveals highly automated attacks mirroring December 2025 activity. Threat actors use malicious SSO logins (e.g., cloud-init@mail.io), exfiltrate configs via GUI for offline credential cracking, then create persistence accounts granting VPN access.
Incidents occur seconds apart, targeting internet-exposed devices; over 25,000 had SSO enabled per prior scans. Field Effect notes compromises on the latest FortiOS despite patches.
Combined IOCs from Fortinet, Arctic Wolf, and reports.
| Type | IOC | Context |
|---|---|---|
| User Account | cloud-noc@mail[.]io | SSO login |
| User Account | cloud-init@mail[.]io | SSO login, config exfil |
| IP Address | 104.28.244[.]115 | Cloudflare IP |
| IP Address | 104.28.212[.]114 | Intrusions |
| IP Address | 37.1.209[.]19 | Third-party observed |
| IP Address | 217.119.139[.]50 | Intrusions |
| Persistence Acct | audit, backup, itadmin | Local admin creation |
| Persistence Acct | secadmin, support | Local admin creation |
| Persistence Acct | remoteadmin, helpdesk | Local admin creation |
Search logs for SSO successes from these IPs/users and “Add system.admin” events.
Fortinet urges disabling FortiCloud SSO:
textconfig system global
set admin-forticloud-sso-login disable
end
Implement local-in policies to restrict admin access:
textconfig firewall local-in-policy
edit 1
set intf "port1"
set srcaddr "10.10.10.0" # Trusted subnet
set dstaddr "all"
set service "HTTPS"
set schedule "always"
next
end
Treat compromised devices as fully owned: upgrade to the latest firmware (e.g., 7.6.x), restore clean configs, rotate all credentials, including LDAP/AD, and audit VPN settings.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
