CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Vulnerabilities

Fortinet Confirms FortiCloud SSO Exploitation Against Patched Devices

Similar to recent FortiCloud single sign-on (SSO) login vulnerabilities, the attacks bypass authentication. The post Fortinet Confirms FortiCloud SSO Exploitation Against Patched Devices appeared first on SecurityWeek.

Fortinet vulnerability

Fortinet on Thursday confirmed that recent attacks are bypassing FortiCloud single sign-on (SSO) login authentication on devices fully patched against recent vulnerabilities.

Leveraging automation, hackers are making configuration changes to FortiGate firewalls to add new user accounts, enable VPN access, and exfiltrate device configuration files, Arctic Wolf warned this week.

The cybersecurity company pointed out that the fresh campaign resembles December 2025 attacks targeting CVE-2025-59718 and CVE-2025-59719, two critical-severity defects impacting the FortiCloud SSO login feature of FortiOS, FortiWeb, FortiProxy, and FortiSwitch Manager devices.

Fortinet released fixes for the two flaws in early December, warning that crafted SAML response messages could be used to bypass authentication on instances that have the FortiCloud SSO login feature enabled.

On Thursday, Fortinet confirmed previous fears that the attacks were successful even against devices that had been patched against CVE-2025-59718 and CVE-2025-59719.

“We have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path,” Fortinet said.

“It is important to note that while, at this time, only exploitation of FortiCloud SSO has been observed, this issue is applicable to all SAML SSO implementations,” it added.

Fortinet says it is working on a fix, but could not share details on its availability.

The company has shared indicators of compromise (IOCs) to help customers hunt for malicious activity on their devices.

Organizations are advised to block administrative access to edge devices from the internet and restrict it to local IP addresses.

“As an additional workaround we recommend disabling the FortiCloud SSO feature. This will prevent abuse via that method but not a third-party SSO system, so this is recommended only in conjunction with the local-in policy,” Fortinet notes.

Related: Organizations Warned of Exploited Zimbra Collaboration Vulnerability

Related: Fresh SmarterMail Flaw Exploited for Admin Access

Related: In Other News: FortiSIEM Flaw Exploited, Sean Plankey Renominated, Russia’s Polish Grid Attack

Related: Cisco Patches Vulnerability Exploited by Chinese Hackers

Latest News

CYBERNEWSMEDIAPublisher