Blog

Authentication Bypass in Fortinet Products Enables Unauthorized FortiCloud SSO Access

Pattern

By Bryan Zatezalo | Cyber Threat Intelligence Analyst

Background Information

CVE-2025-59718, disclosed by Fortinet in December 2025, continues to be associated with active exploitation. Current reporting indicates that recent attack activity closely mirrors the exploitation patterns observed shortly after the vulnerability’s initial disclosure. Fortinet administrators have raised concerns regarding potential post-patch exploitation, and multiple third-party security providers have independently reported evidence suggesting the vulnerability may still be leveraged in the wild.

Current Vulnerability Picture

The flaw allows an attacker to bypass single sign-on (SSO) authentication by leveraging maliciously crafted SAML messages when FortiCloud SSO functionality is enabled. This vulnerability is estimated to impact approximately 11,000 devices with FortiCloud SSO enabled. Observed attacker activity includes post-compromise configuration changes and data exfiltration on affected devices, indicating active exploitation beyond initial access. In the most recent update directly from FortiGuard as of 2026-01-27, the Forticloud SSO on the FortiCloud side is unsupported from devices running vulnerable versions. A full list of the version and effects is in the sources at the end of this bulletin.

Indicators of Compromise

Below are listed Indicators of Compromise from FortiGuard Labs:

Recommendations

Recommendations include standard security best practices such as ensuring all FortiGate devices are fully up to date with the latest patches. As an additional protective measure, organizations may temporarily disable the “Allow Administrative Login using FortiCloud SSO” setting. Doing so prevents attackers from exploiting this vulnerability by removing the affected authentication pathway. However, this change may require the implementation of additional security controls to ensure alternative administrative login methods remain adequately protected.

Conclusion

In conclusion, malicious threat actors seeking access to sensitive systems and data are not limited to novel or previously unknown attack vectors. While ensuring devices are fully patched and up to date significantly reduces risk, it does not fully eliminate the possibility of exploitation. Ostra Security continues to monitor evolving threats through AI-assisted analysis, continuously updated detection rules, and ongoing intelligence correlation to identify suspicious activity that may persist even after remediation efforts. This layered approach helps ensure that emerging and residual risks are detected and addressed in a timely manner.

Sources:

  1. Multiple Fortinet Products' FortiCloud SSO Login Authentication Bypass
  1. Hackers breach Fortinet FortiGate devices, steal firewall configs
  1. Fully patched FortiGate firewalls are getting compromised via CVE-2025-59718?
  1. Arctic Wolf Observes Malicious Configuration Changes On Fortinet FortiGate Devices via SSO Accounts
  1. Administrative FortiCloud SSO authentication bypass

Featured Blog Articles

Stay ahead of emerging cybersecurity threats with expert tips, protection strategies, and industry insights from the Ostra team—helping businesses safeguard their data and operations.

Iranian Cyber Threats: What You Need To Know Now

Following US-Israel military operations in Iran, organizations face heightened cyber risk from state-sponsored Iranian threat actors. Here's what's happening, who's targeting your industry, what Ostra is doing to protect you, and what you need to do on your side.

Why Security Should Drive Outcomes — Not Fear

Our founder Michael Kennedy joined the IT in the D podcast for a conversation on what cybersecurity should look like for real-world organizations, especially small and mid-market teams that do not have a full security department on staff.

AI in the SOC: Separating Promise from Practical Reality

Everywhere you look, vendors are promising “AI-powered detection,” “autonomous response,” and “next-generation SOC automation.” But beneath the marketing noise, cybersecurity professionals are left asking a more practical question: What works in a modern SOC, and what’s still hype?
View all

Protect More Than Data:  
Safeguard Your Future

Transform your security from a silent expense into a proven engine for risk reduction, compliance confidence, and long-term business resilience.

Get StartedLearn More