Fortinet admits FortiGate SSO bug still exploitable despite December patch

Fortinet has confirmed that attackers are actively bypassing a December patch for a critical FortiCloud single sign-on (SSO) authentication flaw after customers reported suspicious logins on devices supposedly fully up to date.

In a new advisory, Fortinet said it had identified a fresh attack path being used to abuse SAML-based SSO in FortiOS, even on systems that had already applied the vendor's earlier fix.

The disclosure follows reports earlier this week that FortiGate firewalls were quietly reconfigured via compromised SSO accounts, with attackers altering firewall settings, creating backdoor admin users, and exfiltrating configuration files.

Arctic Wolf said the campaign kicked off around January 15, with attackers spinning up VPN-enabled accounts and ripping out firewall configuration files in a matter of seconds – behavior strongly suggesting automation rather than careful, hands-on-keyboard work. The security firm added that the activity closely mirrors incidents it observed back in December, in the wake of ...