Executive Summary

Recent intelligence has revealed that sophisticated threat actors are actively exploiting authentication bypass vulnerabilities in FortiGate Next-Generation Firewall appliances to gain unauthorized access to enterprise networks and exfiltrate sensitive service account credentials. These attacks leverage flaws in the FortiCloud SSO implementation, specifically targeting vulnerabilities such as CVE-2025-59718 and CVE-2025-59719, which allow adversaries to circumvent authentication controls using crafted SAML requests. Once inside, attackers establish persistence, extract encrypted credentials for critical services like Active Directory and LDAP, and facilitate lateral movement and data exfiltration. The campaign has impacted organizations across healthcare, government, and managed service provider sectors, underscoring the urgent need for immediate mitigation and robust monitoring.

Threat Actor Profile

The observed activity aligns with the operational patterns of financially motivated cybercriminals, particularly those functioning as Initial Access Brokers (IABs). These actors specialize in breaching high-value targets and selling access to other threat groups, including ransomware operators. The tactics, techniques, and procedures (TTPs) employed—such as the creation of rogue administrative accounts, credential extraction, and the use of legitimate remote management tools—suggest a high degree of technical sophistication. While no direct attribution to a specific Advanced Persistent Threat (APT) group has been established, the campaign demonstrates a clear focus on monetization through the sale of network access and stolen credentials.

Technical Analysis of Malware/TTPs

The attack chain begins with the exploitation of FortiCloud SSO authentication bypass vulnerabilities. By sending specially crafted SAML authentication requests, attackers can impersonate legitimate users and obtain super_admin privileges on vulnerable FortiGate devices. Once authenticated, adversaries create persistent local administrator accounts with names such as support, secadmin, audit, backup, and itadmin. These accounts are used to maintain access even if the initial vulnerability is patched.

Attackers then extract configuration files from the compromised device, which often contain encrypted credentials for service accounts like fortidcagent used for LDAP or Active Directory integration. Using known decryption techniques, these credentials are recovered and leveraged to authenticate against internal directory services, enabling further privilege escalation and lateral movement.

Post-exploitation activities include enrolling rogue workstations into the domain, deploying remote access tools such as Pulseway and MeshAgent, and executing custom malware payloads, including Java-based malware delivered via DLL side-loading. Data exfiltration is achieved by transferring sensitive files—such as the NTDS.dit Active Directory database and SYSTEM registry hives—to attacker-controlled infrastructure, often hosted on cloud platforms like AWS and Cloudflare to obfuscate attribution.

Indicators of compromise (IOCs) associated with these campaigns include suspicious SSO logins from accounts like cloud-noc@mail.io and cloud-init@mail.io, the presence of unauthorized local admin accounts, and connections from IP addresses such as 104.28.244.115, 104.28.212.114, 37.1.209.19, and 217.119.139.50. Exfiltration servers have been observed at 172.67.196[.]232 over port 443.

Exploitation in the Wild

Active exploitation of these vulnerabilities has been confirmed in multiple sectors, with attackers leveraging both zero-day and recently disclosed flaws. The attack surface is expanded by organizations that have enabled FortiCloud SSO for administrative access, often without restricting access to trusted IP ranges. In several documented incidents, attackers bypassed authentication, established persistence, and extracted credentials within hours of initial compromise.

The use of cloud-based infrastructure for command-and-control (C2) and exfiltration complicates detection and response efforts. Attackers have demonstrated the ability to rapidly pivot within victim environments, using stolen credentials to access additional systems and deploy further payloads. The monetization phase typically involves selling access to other criminal groups, who may deploy ransomware or conduct further data theft.

Victimology and Targeting

The primary targets of this campaign are organizations operating FortiGate appliances with FortiCloud SSO enabled, particularly those in the healthcare, government, and managed service provider sectors. These industries are attractive due to the sensitive nature of their data and the criticality of their operations. The global reach of the campaign is facilitated by the widespread deployment of FortiGate devices and the common practice of integrating these firewalls with enterprise authentication systems.

Victims are often identified through internet-wide scanning for vulnerable FortiGate instances, followed by targeted exploitation. The attackers prioritize environments where service account credentials can provide access to broader network resources, maximizing the potential impact and value of the breach.

Mitigation and Countermeasures

Immediate action is required to mitigate the risk posed by these vulnerabilities. Organizations should upgrade all FortiGate devices to the latest firmware versions (7.6 or higher) as recommended by Fortinet. Until patches are applied, it is critical to disable FortiCloud SSO administrative logins. This can be accomplished via the GUI by navigating to System → Settings and toggling "Allow administrative login using FortiCloud SSO" to Off, or via the CLI with the following commands:

config system global set admin-forticloud-sso-login disable end

A comprehensive audit of all administrative accounts should be conducted to identify and remove unauthorized entries. All credentials associated with LDAP, Active Directory, and other integrated services must be rotated, as attackers may have extracted and decrypted these secrets. Administrative access to FortiGate devices should be restricted to trusted IP addresses using local-in policies.

Continuous monitoring for IOCs—including suspicious SSO logins, the creation of new admin accounts, and connections from known attacker IPs—is essential. If compromise is suspected, organizations should assume that all configurations and credentials have been exposed and restore affected systems from known clean backups.

References

• Fortinet PSIRT Blog: Analysis of Single Sign-On Abuse on FortiOS

• The Hacker News: FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials

• Security Affairs: Attackers exploit FortiGate devices to access sensitive network info

• Arctic Wolf: Malicious Configuration Changes On Fortinet FortiGate Devices

• MITRE ATT&CK Framework

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously assess, monitor, and mitigate cyber risks across their digital supply chain. Our advanced analytics and threat intelligence capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure compliance with industry standards. For more information or to discuss how Rescana can support your cybersecurity strategy, we are happy to answer questions at ops@rescana.com.