dark
Hand-Picked Top-Read Stories
Trending Tags
2 minute read

Fortinet Confirms Active FortiCloud SSO Bypass on Fully Patched FortiGate Firewalls

info@thehackernews.com (The Hacker News)
January 23, 2026
Fortinet has officially confirmed that it’s working to completely plug a FortiCloud SSO authentication bypass vulnerability following reports of fresh exploitation activity on fully-patched firewalls. “In the last 24 hours, we have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new
Total
0
Shares
0
0
0
[[{“value”:”

Fortinet has officially confirmed that it’s working to completely plug a FortiCloud SSO authentication bypass vulnerability following reports of fresh exploitation activity on fully-patched firewalls.

“In the last 24 hours, we have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path,” Fortinet Chief Information Security Officer (CISO) Carl Windsor said in a Thursday post.

The activity essentially mounts to a bypass for patches put in place by the network security vendor to address CVE-2025-59718 and CVE-2025-59719, which could allow unauthenticated bypass of SSO login authentication via crafted SAML messages if the FortiCloud SSO feature is enabled on affected devices. The issues were originally addressed by Fortinet last month.

However, earlier this week, reports emerged of renewed activity in which malicious SSO logins on FortiGate appliances were recorded against the admin account on devices that had been patched against the twin vulnerabilities. The activity is similar to incidents observed in December, shortly after the disclosure of the CVE-2025-59718 and CVE-2025-59719.

Cybersecurity

The activity involves the creation of generic accounts for persistence, making configuration changes granting VPN access to those accounts, and the exfiltration of firewall configurations to different IP addresses. The threat actor has been observed logging in with accounts named “cloud-noc@mail.io” and “cloud-init@mail.io.”

As mitigations, the company is urging the following actions –

  • Restrict administrative access of edge network device via the internet by applying a local-in policy
  • Disable FortiCloud SSO logins by disabling “admin-forticloud-sso-login”

“It is important to note that while, at this time, only exploitation of FortiCloud SSO has been observed, this issue is applicable to all SAML SSO implementations,” Fortinet said.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Total
0
Shares
Share 0
Tweet 0
Share 0
Share 0
Share 0
Previous Post

TikTok Forms U.S. Joint Venture to Continue Operations Under 2025 Executive Order

January 23, 2026
Next Post

Cyberattack disrupts digital systems at renowned Dresden museum network

January 23, 2026
Related Posts
4 min

Microsoft Patches 59 Vulnerabilities Including Six Actively Exploited Zero-Days

Microsoft on Tuesday released security updates to address a set of 59 flaws across its software, including six vulnerabilities that it said have been exploited in the wild. Of the 59 flaws, five are rated Critical, 52 are rated Important, and two are rated Moderate in severity. Twenty-five of the patched vulnerabilities have been classified as privilege escalation, followed by remote code
info@thehackernews.com (The Hacker News)
February 11, 2026
Read More
2 min

CSA Issues Alert on Critical SmarterMail Bug Allowing Remote Code Execution

The Cyber Security Agency of Singapore (CSA) has issued a bulletin warning of a maximum-severity security flaw in SmarterTools SmarterMail email software that could be exploited to achieve remote code execution. The vulnerability, tracked as CVE-2025-52691, carries a CVSS score of 10.0. It relates to a case of arbitrary file upload that could enable code execution without requiring any
info@thehackernews.com (The Hacker News)
December 30, 2025
Read More
4 min

Iranian Infy APT Resurfaces with New Malware Activity After Years of Silence

Threat hunters have discerned new activity associated with an Iranian threat actor known as Infy (aka Prince of Persia), nearly five years after the hacking group was observed targeting victims in Sweden, the Netherlands, and Turkey. "The scale of Prince of Persia's activity is more significant than we originally anticipated," Tomer Bar, vice president of security research at SafeBreach, said
info@thehackernews.com (The Hacker News)
December 20, 2025
Read More