Fortinet Confirms New Zero-Day SSO Exploits Targeting Fully Patched Devices

Fortinet has issued an urgent warning to its customer base following the discovery of a new wave of cyberattacks targeting its network security appliances, including FortiOS, FortiWeb, and FortiProxy devices.

While the company had previously released an advisory in December 2025 regarding two FortiCloud Single Sign-On (SSO) bypass vulnerabilities—tracked as CVE-2025-59718 and CVE-2025-59719—security researchers have now observed exploitation attempts against devices that were already fully upgraded to the latest firmware. This development indicates that threat actors have identified a new attack path that circumvents recent security patches, forcing the vendor to accelerate the development of a new remediation.

The initial vulnerabilities discovered during an internal code audit allowed for unauthenticated login bypass via crafted SAML messages when the FortiCloud SSO feature was enabled. However, in the last 24 hours, Fortinet confirmed that a small number of customers experienced unexpected login activity on updated devices. While the current observations are limited to the exploitation of FortiCloud SSO, the company noted that the underlying flaw is applicable to all SAML SSO implementations. Threat actors appear to be utilizing specific email addresses, primarily "cloud-noc@mail.io" and "cloud-init@mail.io," to execute the unauthorized logins. These attacks have been traced to multiple IP addresses, including 104.28.244.115 and 104.28.212.114, often masking their origin through Cloudflare-protected infrastructure.

Once the attackers successfully bypass authentication, their primary objective appears to be establishing persistence. Forensic analysis has revealed that immediately following the SSO breach, the intruders create local administrative accounts with generic names such as "audit," "backup," "itadmin," "secadmin," or "support." This tactic ensures they retain control over the device even if the SSO vulnerability is later patched or disabled. System administrators are being urged to immediately audit their device logs for these specific user accounts, as well as for log entries indicating "Admin login successful" via the SSO method from the suspicious IP addresses listed in the company's analysis.

In the absence of an immediate software patch, Fortinet has provided critical mitigation strategies to secure network perimeters. The company strongly recommends disabling the FortiCloud SSO feature entirely through the system settings or Command Line Interface (CLI) to close the attack vector. Additionally, administrators are advised to implement strict "local-in" policies that restrict administrative access to the device solely from trusted, internal IP subnets, thereby blocking external attempts to reach the management interface. If any Indicators of Compromise (IOCs) are found, Fortinet advises treating the system as fully compromised, necessitating a configuration restore from a clean backup and a comprehensive rotation of all credentials, including any connected LDAP or Active Directory accounts. The company states that a formal advisory and permanent fix will be released as soon as the scope of the solution is finalized.