Fortinet FortiGate exploited via SSO authentication abuse

Threat summary

On January 22, researchers reported an active campaign involving the compromise of Fortinet FortiGate, a firewall platform widely used for perimeter security, VPN access, and network segmentation. The attacks were first observed a week earlier, on January 15, with threat actors authenticating through a Single Sign‑On (SSO) mechanism using crafted Security Assertion Markup Language (SAML) assertions that were accepted by FortiGate as valid.

During these intrusions, attackers made malicious configuration changes to FortiGate devices, including modifying firewall policies, altering SSL VPN settings, and updating administrative access controls. Researchers confirmed that these changes were performed through legitimate administrative workflows rather than malware. Once the SSO login succeeds, FortiGate treats the session as a fully authorized administrator, allowing the attacker to operate entirely within normal management workflows.

Affected organizations reported that the activity occurred even on systems running the latest FortiOS release, version 7.4.10. There is ongoing speculation about whether the exploitation is related to previously patched vulnerabilities tracked as CVE‑2025‑59718 and CVE‑2025‑59719.

These flaws affect multiple Fortinet products, including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, and allow unauthenticated SSO bypass due to improper handling of SAML messages. When FortiCloud SSO is enabled, a crafted SAML message could be used to exploit the issue.

Some publications and Reddit users have claimed that Fortinet support suggested these flaws were not fully resolved and that additional fixes were planned. Fortinet is yet to comment publicly, confirm the root cause of the current activity, or link the activity to any previously disclosed vulnerability. The identity of the threat actor behind the campaign also remains unknown.

Insights & recommendations

The potential impact of this threat could be severe. Someone with administrative access can create persistent accounts, alter firewall and SSL VPN configurations, and exfiltrate configuration files. These files contain sensitive information such as internal network addressing, authentication objects, VPN settings, and security policies. In the worst case, this could lead to full compromise of perimeter defenses and enable lateral movement into internal networks.

By correlating network traffic, endpoint behavior, and indicators of compromise, Field Effect MDR detects and blocks exploit attempts, flagging anomalies such as suspicious SAML authentication activity and unauthorized administrative access. Field Effect MDR users will receive an ARO identifying any vulnerable instances, along with remediation guidance.

Recommended mitigation steps:

Because no patch is currently available, nor has Fortinet issued a remediation advisory, organizations are advised to maintain heightened monitoring as well as apply the mitigations below promptly. 

• Disable FortiCloud SSO, where operationally feasible, until the vendor makes more information available.
• Restrict external access to administrative interfaces, including SSO and SSL VPN portals.
• Audit all SSO and administrative accounts, removing unnecessary access and identifying any unauthorized additions or privilege changes.
• Review recent configuration changes to detect malicious modifications to firewall rules, SSL VPN settings, or administrative access controls.
• Enable detailed logging for SSO and administrative authentication events and forward logs to a SIEM for correlation and anomaly detection.
• Implement conditional access or multifactor authentication for SSO accounts used to administer FortiGate devices.
• Rotate credentials stored within FortiGate systems and verify no unauthorized configuration downloads have occurred.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up