Fortinet has recognized that it is investigating a new attack vector that allows SSO authentication to be skipped on devices using FortiCloud, even on devices that had been recently updated. In recent days the company detected malicious accesses that did not respect the previously applied corrections to two assigned vulnerabilities such as CVE-2025-59718 and CVE-2025-59719, suggesting that the attackers have found an alternative route to authenticate sessions without going through the legitimate flow of SAML.
The reported incidents show a clear pattern: intruders that log in through the FortiCloud SSO mechanism, create generic accounts to maintain persistent access, modify the configuration to enable them to connect with VPN and extract firewall settings to external servers. Account names observed by researchers include "cloud-noc @ mail.io" and "cloud-init @ mail.io", labels that serve to track the activity and check if a device has been compromised.
It's important to understand why this is serious. SAML (Security Assertion Markup Language) is a widely used standard for delegating authentication between identity providers and services; when that mechanism fails, an attacker can supplant administrators without valid credentials. If you want to deepen how SAML works and why any failure in its implementation can have extensive consequences, there are good technical explanations in official OASIS documentation and in informative analyses such as Cloudflare: SAML v2.0 (OASIS) specification and practical explanation of SAML by Cloudflare.
Fortinet has published a public analysis of this campaign and the exploitation of the SSO that it is actively studying and mitigating; its technical report details the findings and the time measures recommended by the manufacturer. You can see that note on your official blog to see the information directly from the source: SSO abuse analysis in FortiOS (Fortinet). In addition, the related vulnerabilities are recorded in the CVE public lists for technical reference: CVE-2025-59718 and CVE-2025-59719.
While Fortinet works to completely close the new route of attack, there are several urgent actions that organizations with FortiGate devices should take. First of all, it is appropriate to reduce the administrative exposure of equipment to the Internet by implementing local access policies and by limiting the direction of management ports. Another practical measure is to temporarily disable the FortiCloud SSO login - the option identified as admin-forticloud-sso-login- until it is confirmed that the correction covers the new vector. It is also critical to audit existing administrative accounts, seek the presence of the names observed by researchers and review changes in VPN policies and configuration exports that may indicate exfiltration.
In addition to the specific measures, it is appropriate to adopt detection and containment measures: to review authentication and system records to detect unusual SSO login, to apply alerts for the creation of administrative accounts and the modification of remote access rules, and, if commitment is confirmed, to isolate the affected devices and restore configurations from pre-incident backup. We must not forget to strengthen the general position: apply multifactor authentication where possible, rotate credentials and maintain a rigorous inventory and change control for edge devices.
This incident also leaves a broader teaching: although the observed exploitation has focused on FortiCloud SSO, the failures in SAML implementations can affect any supplier or product that depends on this standard for the single login. This is why it is recommended that corporate security teams review all SAML integrations that have deployed, analyse the possibility of assertions supplanting attacks and consult publications from their suppliers and cybersecurity agencies for specific measures.
The situation continues to evolve and Fortinet has indicated that it is deploying additional corrections to close the new track of attack detected. Keeping informed with the supplier's official communications and public security alerts is key to responding quickly. For technical follow-up and official recommendations review the manufacturer's statement and the above mentioned CVE entries.
If you manage FortiGate on your network and have not taken any of these measures, act as soon as possible: limit administrative access from the Internet, disable the FortiCloud SSO if it is not necessary and monitor commitment signals. In a world where unique authentication tools gain ground, the security of their implementation is as strong as the weakest of their integrations.
Safety alert Drug critical vulnerability of SQL injection in PostgreSQL requires immediate update
Drucal has published safety updates for a vulnerability qualified as "highly critical" which affects Drumal Core and allows an attacker to achieve arbitrary SQL injection in sit...
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...