Executive Summary

Fortinet has confirmed that a critical authentication bypass vulnerability affecting FortiCloud SSO is being actively exploited in the wild, even on fully patched FortiGate firewalls. The vulnerability, tracked as CVE-2025-59718 and CVE-2025-59719, allows unauthenticated attackers to bypass SSO authentication by crafting malicious SAML messages. This enables adversaries to gain administrative access, create persistent local accounts, and exfiltrate sensitive configuration data. The exploitation is ongoing and global, with no sector or geography immune. This advisory provides a comprehensive technical analysis, threat actor tactics, exploitation evidence, victimology, and actionable mitigation strategies to help organizations defend against this advanced threat.

Threat Actor Profile

Attribution for the current exploitation of the FortiCloud SSO bypass remains inconclusive. The threat actors are demonstrating a high degree of operational security, leveraging generic email accounts such as cloud-noc@mail.io and cloud-init@mail.io for SSO logins, and routing malicious traffic through Cloudflare-protected infrastructure to mask their origin. The observed tactics, techniques, and procedures (TTPs) are consistent with both financially motivated cybercriminals and advanced persistent threat (APT) actors. The attackers are opportunistic, targeting any exposed and vulnerable FortiGate, FortiWeb, FortiProxy, or FortiSwitch Manager instance with FortiCloud SSO enabled, regardless of industry or geography. The use of generic local admin accounts and rapid exfiltration of configuration data suggests a focus on establishing persistent access and enabling lateral movement or future monetization.

Technical Analysis of Malware/TTPs

The core of the attack leverages a logic flaw in the FortiCloud SSO implementation, specifically in the handling of SAML assertions. By crafting a malicious SAML message, an unauthenticated attacker can trick the device into granting administrative access without valid credentials. This bypass is effective even on devices running the latest firmware, as the original patch released in December 2025 did not fully address the underlying issue.

Upon successful exploitation, the attacker typically performs the following actions: logs in as a privileged SSO user (often using the aforementioned generic email addresses), creates new local admin accounts such as audit, backup, itadmin, secadmin, or support to ensure persistence, modifies VPN or firewall configurations to facilitate further access, and exports the full device configuration to an external IP address. The attackers use a variety of source IPs, including 104.28.244.115, 104.28.212.114, 37.1.209.19, and 217.119.139.50, many of which are protected by Cloudflare to further obfuscate their infrastructure.

The attack chain aligns with several MITRE ATT&CK techniques: exploitation of public-facing applications (T1190), creation of new accounts for persistence (T1136), use of valid accounts for defense evasion (T1078), exfiltration of configuration files (T1005), and use of proxy services for command and control (T1090).

Exploitation in the Wild

Active exploitation of the FortiCloud SSO bypass has been observed since at least January 2026. Security researchers and managed detection and response (MDR) providers have reported a surge in unauthorized SSO logins, even on devices that had been fully patched according to Fortinet's December 2025 advisory. Attackers are not only gaining access but are also establishing persistence and exfiltrating sensitive data.

Log entries from compromised devices typically show successful admin logins via SSO from suspicious email addresses and source IPs. For example:

date=2026-01-15 time=12:34:56 devname="FGT60FXXXXXXX" devid="FGT60FXXXXXXX" eventtime=1673776496 tz="UTC" logid="0100032001" type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="FGT60FXXXXXXX" user="cloud-init@mail.io" ui="sso(104.28.244.115)" method="sso" srcip=104.28.244.115 dstip=192.0.2.1 action="login" status="success" reason="none" profile="super_admin" msg="Administrator cloud-init@mail.io logged in successfully from sso(104.28.244.115)"

Following initial access, attackers create new local admin accounts and may export the device configuration via the web interface or API. The configuration files often contain sensitive information, including VPN credentials, network topology, and user data, which can be leveraged for further attacks or sold on underground forums.

Victimology and Targeting

The exploitation campaign is global and indiscriminate. Organizations of all sizes and across all sectors are at risk if they have FortiCloud SSO enabled on any affected Fortinet product. There is no evidence of targeting based on industry vertical, geography, or organization size. The opportunistic nature of the attacks, combined with the use of automated scanning and exploitation tools, means that any exposed and vulnerable device is a potential target.

Victims have included enterprises, government agencies, educational institutions, and managed service providers. The attackers' primary objectives appear to be establishing persistent access, collecting sensitive configuration data, and potentially preparing for future ransomware or data extortion operations.

Mitigation and Countermeasures

Immediate action is required to mitigate the risk posed by this vulnerability. Organizations should first restrict administrative access to Fortinet devices by implementing local-in policies that only allow management connections from trusted IP addresses. For example, in the FortiOS CLI:

config firewall address edit "trusted-admins" set subnet 10.10.10.0 255.255.255.0 next end config firewall local-in-policy edit 1 set intf "port1" set srcaddr "trusted-admins" set dstaddr "all" set service "HTTPS" set schedule "always" next end

Next, disable FortiCloud SSO logins entirely until a comprehensive patch is available. This can be done via the GUI (System → Settings → Switch → "Allow administrative login using FortiCloud SSO" → Off) or via the CLI:

config system global set admin-forticloud-sso-login disable end

Organizations should also conduct a thorough review of all administrative accounts, searching for unexpected or generic usernames such as audit, backup, itadmin, secadmin, or support. Log analysis should focus on SSO logins from suspicious email addresses and the known malicious source IPs listed above.

If compromise is suspected, treat the device and its configuration as fully compromised. Restore from a known clean backup, rotate all credentials (including those for LDAP/AD integration), and open a support ticket with Fortinet for further guidance. Monitor the Fortinet PSIRT page for updates on patches and advisories.

Finally, organizations should consider implementing network segmentation and multi-factor authentication for all administrative access, and ensure that all device management interfaces are not exposed to the public internet.

References

• Fortinet Official Blog: Analysis of Single Sign-On Abuse on FortiOS

• The Hacker News: Fortinet Confirms Active FortiCloud SSO Bypass

• Kudelski Security: Fortinet FortiCloud SSO Authentication Bypass Vulnerabilities

• NVD: CVE-2025-59718

• NVD: CVE-2025-59719

• Truesec: Actively Exploited Authentication Bypass Vulnerabilities in FortiGate SSO

• Arctic Wolf: Malicious SSO Logins Following Disclosure

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their entire digital supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure compliance with industry standards. For more information about how Rescana can help strengthen your cybersecurity posture, or for any questions regarding this advisory, please contact us at ops@rescana.com.