Friday, January 23, 2026
Latest:

Threatshub.org sponsored-Post

The Register

Fortinet admits FortiGate SSO bug still exploitable despite December patch

TH Author

Fortinet has confirmed that attackers are actively bypassing a December patch for a critical FortiCloud single sign-on (SSO) authentication flaw after customers reported suspicious logins on devices supposedly fully up to date.

In a new advisory, Fortinet said it had identified a fresh attack path being used to abuse SAML-based SSO in FortiOS, even on systems that had already applied the vendor’s earlier fix.

The disclosure follows reports earlier this week that FortiGate firewalls were quietly reconfigured via compromised SSO accounts, with attackers altering firewall settings, creating backdoor admin users, and exfiltrating configuration files.

Arctic Wolf said the campaign kicked off around January 15, with attackers spinning up VPN-enabled accounts and ripping out firewall configuration files in a matter of seconds – behavior strongly suggesting automation rather than careful, hands-on-keyboard work. The security firm added that the activity closely mirrors incidents it observed back in December, in the wake of Fortinet’s disclosure of the supposedly patched SSO authentication bypass flaw.

“Recently, a small number of customers reported unexpected login activity occurring on their devices, which appeared very similar to the previous issue,” said Fortinet chief information security officer Carl Windsor.

“However, in the last 24 hours, we have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path.”

“Fortinet product security has identified the issue, and the company is working on a fix to remediate this occurrence,” Windsor said. “An advisory will be issued as the fix scope and timeline is available.”

While exploitation has so far only been observed via FortiCloud SSO, Windsor warned that the underlying weakness is not limited to that service.

“It is important to note that while, at this time, only exploitation of FortiCloud SSO has been observed, this issue is applicable to all SAML SSO implementations.” That’s not the sort of detail likely to calm anyone responsible for keeping these boxes locked down.

Fortinet has not yet published technical details of the alternate attack path, though the company says investigations are ongoing. In the meantime, it has advised customers to review authentication logs for any unexpected login activity, restrict exposure of the management interface, and closely monitor changes to administrator accounts.

For now, Fortinet customers are left watching the logs and waiting for another fix — this time hoping it actually closes the door. ®

READ MORE HERE