Cybersecurity firm Arctic Wolf first observed the attacks on January 15, 2026, involving rapid configuration exfiltration and persistence via generic admin accounts.
In December 2025, Fortinet disclosed two critical vulnerabilities, CVE-2025-59718 and CVE-2025-59719 (FG-IR-25-647), enabling unauthenticated attackers to bypass SSO authentication using crafted SAML messages when FortiCloud SSO is enabled.
These flaws affect FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, allowing admin access without credentials. Patches were issued, but recent incidents on updated firmware like 7.4.10 indicate a persistent or variant issue applicable to all SAML SSO implementations.
Fortinet’s PSIRT advisory details vulnerable versions and fixes.
| Product | Affected Versions | Solution |
|---|---|---|
| FortiOS 7.6 | 7.6.0 through 7.6.3 | 7.6.4 or above |
| FortiOS 7.4 | 7.4.0 through 7.4.8 | 7.4.9 or above |
| FortiOS 7.2 | 7.2.0 through 7.2.11 | 7.2.12 or above |
| FortiProxy 7.2 | 7.2.0 through 7.2.14 | 7.2.15 or above |
| FortiSwitchManager 7.2 | 7.2.0 through 7.2.6 | 7.2.7 or above |
Reports confirm exploitation on 7.4.9, 7.4.10, and 7.6.x, with fixes scheduled for later releases.
Arctic Wolf telemetry reveals highly automated attacks mirroring December 2025 activity. Threat actors use malicious SSO logins (e.g., cloud-init@mail.io), exfiltrate configs via GUI for offline credential cracking, then create persistence accounts granting VPN access.
Incidents occur seconds apart, targeting internet-exposed devices; over 25,000 had SSO enabled per prior scans. Field Effect notes compromises on the latest FortiOS despite patches.
Combined IOCs from Fortinet, Arctic Wolf, and reports.
| Type | IOC | Context |
|---|---|---|
| User Account | cloud-noc@mail[.]io | SSO login |
| User Account | cloud-init@mail[.]io | SSO login, config exfil |
| IP Address | 104.28.244[.]115 | Cloudflare IP |
| IP Address | 104.28.212[.]114 | Intrusions |
| IP Address | 37.1.209[.]19 | Third-party observed |
| IP Address | 217.119.139[.]50 | Intrusions |
| Persistence Acct | audit, backup, itadmin | Local admin creation |
| Persistence Acct | secadmin, support | Local admin creation |
| Persistence Acct | remoteadmin, helpdesk | Local admin creation |
Search logs for SSO successes from these IPs/users and “Add system.admin” events.
Fortinet urges disabling FortiCloud SSO:
textconfig system global
set admin-forticloud-sso-login disable
end
Implement local-in policies to restrict admin access:
textconfig firewall local-in-policy
edit 1
set intf "port1"
set srcaddr "10.10.10.0" # Trusted subnet
set dstaddr "all"
set service "HTTPS"
set schedule "always"
next
end
Treat compromised devices as fully owned: upgrade to the latest firmware (e.g., 7.6.x), restore clean configs, rotate all credentials, including LDAP/AD, and audit VPN settings.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Fortinet Confirms Active Exploitation of FortiCloud SSO Authentication Bypass Vulnerability appeared first on Cyber Security News.
Anyone who's been paying attention to PC hardware over the last few months probably isn't…
If you enjoy listening to music while you run, then this headphone deal is right…
Anyone who's been paying attention to PC hardware over the last few months probably isn't…
If you enjoy listening to music while you run, then this headphone deal is right…
The LEGO Pokémon Venusaur, Charizard, and Blastoise, which is available exclusively at the LEGO Store,…
AMC Theatres is once again testing the waters to see if moviegoers are willing to…
This website uses cookies.