Executive Summary
In January 2026, Fortinet confirmed that attackers actively exploited a new authentication bypass vulnerability affecting FortiCloud SSO on fully patched FortiGate firewalls. Despite organizations applying the latest security updates, adversaries used an undisclosed flaw to circumvent authentication protections, gaining unauthorized administrative access to network infrastructure. The incidents were detected within 24 hours of the latest firmware deployment, leading to compromised management interfaces and potentially broad security implications for affected enterprises utilizing FortiCloud SSO for remote management and single sign-on.
This breach underscores a persistent challenge in cloud-managed network security: even well-maintained, up-to-date systems may be vulnerable to zero-day exploits. The event highlights increased attacker focus on SSO and management plane weaknesses, as well as the importance of layered defenses, rapid detection, and coordinated response in modern enterprise security architecture.
Why This Matters Now
With attackers now able to compromise fully updated Fortinet firewalls via a cloud SSO vulnerability, organizations face urgent pressure to reevaluate their reliance on single sign-on and management-plane security. Immediate action is needed to detect unauthorized access, harden exposed admin interfaces, and implement compensating controls until an effective patch is released.
Attack Path Analysis
Attackers exploited a FortiCloud SSO authentication bypass vulnerability on fully patched FortiGate firewalls, obtaining unauthorized access. Following initial compromise, adversaries likely escalated their privileges using inherent flaws in authentication controls. With elevated access, lateral movement within internal or cross-region networks was feasible but potentially limited by segmentation. Attackers established command and control channels, likely leveraging outbound traffic to maintain persistence and orchestrate actions. Data exfiltration was possible via unauthorized egress; however, strong outbound controls and encryption could have detected or prevented loss. Impact could include further unauthorized access, disruption, or the use of firewalls for broader attacks, depending on post-exfiltration actions.
Kill Chain Progression
Initial Compromise
Description
Exploitation of a FortiCloud SSO authentication bypass vulnerability to gain unauthorized access to the firewall management interface.
Related CVEs
CVE-2025-59718
CVSS 9.8An improper verification of cryptographic signatures in FortiCloud SSO login allows unauthenticated attackers to bypass authentication via crafted SAML messages.
Affected Products:
Fortinet FortiOS – 7.0.0 through 7.0.17, 7.2.0 through 7.2.11, 7.4.0 through 7.4.8, 7.6.0 through 7.6.3
Fortinet FortiProxy – 7.0.0 through 7.0.21, 7.2.0 through 7.2.14, 7.4.0 through 7.4 ... , 7.6.0 through ...
Fortinet FortiSwitchManager – 7.0.0 through ... , 7.2.0 through ...
Exploit Status:
exploited in the wildReferences:
https://www.fortiguard.com/psirt/FG-IR-25-647https://www.cyber.gc.ca/en/alerts-advisories/al25-019-vulnerabilities-impacting-fortinet-products-forticloud-sso-login-authentication-bypass-cve-2025-59718-cve-2025-59719https://www.dataminr.com/resources/intel-brief/cve-2025-59718-and-cve-2025-59719-critical-fortinet-sso-vulnerabilities/CVE-2025-59719
CVSS 9.8An improper verification of cryptographic signatures ... FortiCloud SSO login allows unauthenticated attackers to bypass authentication via crafted SAML messages.
Affected Products:
Fortinet FortiWeb – 7.4.0 through ... , 7.6.0 through ... 4, 8.0.0
Exploit Status:
exploited in the wildReferences:
https://www.fortiguard.com/psirt/FG-IR-25-647https://www.cyber.gc.ca/en/alerts-advisories/al25-019-vulnerabilities-impacting-fortinet-products-forticloud-sso-login-authentication-bypass-cve-2025-59718-cve-2025-59719https://www.dataminr.com/resources/intel-brief/cve-2025-59718-and-cve-2025-59719-critical-fortinet-sso-vulnerabilities/
MITRE ATT&CK® Techniques
Network Device Authentication Bypass
Valid Accounts: Default Accounts
Exploit Public-Facing Application
External Remote Services
Brute Force: Password Guessing
Exploitation for Credential Access
Impair Defenses: Disable or Modify Tools
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Access to System Components
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Penetration Testing and Vulnerability Assessments
Control ID: 500.5
DORA – ICT Risk Management
Control ID: Article 9
CISA ZTMM 2.0 – Strong Authentication
Control ID: Identity Pillar: 1.6
NIS2 Directive – Technical and Organizational Measures - Access Control
Control ID: Article 21.2
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
FortiCloud SSO bypass on patched FortiGate firewalls threatens encrypted traffic protection and zero trust segmentation critical for financial compliance frameworks.
Health Care / Life Sciences
Network infrastructure exploitation bypassing authentication controls compromises HIPAA-required east-west traffic security and egress policy enforcement for patient data protection.
Government Administration
Active SSO bypass vulnerability on fully patched systems undermines multicloud visibility controls and threat detection capabilities essential for government security operations.
Information Technology/IT
Confirmed exploitation against latest releases exposes cloud firewall and kubernetes security gaps, impacting centralized policy enforcement across hybrid connectivity infrastructures.
Sources
- Fortinet Confirms Active FortiCloud SSO Bypass on Fully Patched FortiGate Firewallshttps://thehackernews.com/2026/01/fortinet-confirms-active-forticloud-sso.htmlVerified
- Multiple Fortinet Products' FortiCloud SSO Login Authentication Bypasshttps://www.fortiguard.com/psirt/FG-IR-25-647Verified
- Vulnerabilities impacting Fortinet products - FortiCloud SSO Login Authentication Bypass - CVE-2025- ... and CVE-2025- ... https://www.cyber.gc.ca/en/alerts-advisories/al25-019-vulnerabilities-impacting-fortinet-products-forticloud-sso-login-authentication-bypass-cve-2025-59718-cve-2025-59719Verified
- CVE-2025-59718 and CVE-2025- ... : Critical Fortinet SSO Vulnerabilitieshttps://www.dataminr.com/resources/intel-brief/cve-2025-59718-and-cve-2025-59719-critical-fortinet-sso-vulnerabilities/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Comprehensive Zero Trust segmentation, egress policy enforcement, and inline detection would have constrained attacker movement, limited privilege escalation, and prevented exfiltration attempts even after the SSO bypass. Distributed fabric controls would detect and block anomalous actions post-compromise, while robust egress filtering and encryption would reduce data loss and visibility to attackers.
Control: Cloud Native Security Fabric (CNSF) Distributed Inline Enforcement
Mitigation: Initial unauthorized access attempt is detected and can be blocked.
Control: Zero Trust Segmentation
Mitigation: Limits privilege elevation opportunities to only approved identities and segments.
Control: East-West Traffic Security
Mitigation: Internal movement is detected, audited, and blocked by enforced segmentation.
Control: Multicloud Visibility & Control
Mitigation: Suspicious outbound C2 patterns are surfaced and can be contained.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound data exfiltration attempts are denied or flagged.
Rapid detection and automated incident response minimizes impact.
Impact at a Glance
Affected Business Functions
- Network Security Operations
- IT Infrastructure Management
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of network configurations, firewall settings, and administrative credentials, leading to unauthorized access and data breaches.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust segmentation to limit privilege escalation and lateral movement, even if perimeter authentication is compromised.
- • Deploy distributed inline enforcement with CNSF to detect and block anomalous authentication bypasses in real time.
- • Apply strict egress policy enforcement with FQDN filtering and encryption to deny unauthorized outbound data flows and prevent exfiltration.
- • Implement continuous monitoring and anomaly response to rapidly detect post-compromise activities and minimize attacker dwell time.
- • Regularly review firewall, authentication, and fabric control policy for gaps, ensuring swift patch deployment and effective runtime enforcement.
