Fortinet Confirms FortiCloud SSO Exploitation Against Patched Devices

Fortinet on Thursday confirmed that recent attacks are bypassing FortiCloud single sign-on (SSO) login authentication on devices fully patched against recent vulnerabilities.

Leveraging automation, hackers are making configuration changes to FortiGate firewalls to add new user accounts, enable VPN access, and exfiltrate device configuration files, Arctic Wolf warned this week.

The cybersecurity company pointed out that the fresh campaign resembles December 2025 attacks targeting CVE-2025-59718 and CVE-2025-59719, two critical-severity defects impacting the FortiCloud SSO login feature of FortiOS, FortiWeb, FortiProxy, and FortiSwitch Manager devices.

Fortinet released fixes for the two flaws in early December, warning that crafted SAML response messages could be used to bypass authentication on instances that have the FortiCloud SSO login feature enabled.

On Thursday, Fortinet confirmed previous fears that the attacks were successful even against devices that had been patched against CVE-2025-59718 and CVE-2025-59719.

“We have identified a number of cases where the exploit was to ...