Update: Fortinet Confirms New SAML SSO Issue Under Active Exploitation

Threat summary

On January 22, 2026, Fortinet released new analysis confirming that the recently reported Single Sign On (SSO) based intrusions stem from an unreported issue in the company’s Security Assertion Markup Language (SAML) SSO implementation. According to the vendor, threat actors were able to authenticate through SAML SSO on fully patched FortiOS systems, including devices running version 7.4.10, indicating that the activity cannot be fully explained by previously disclosed vulnerabilities.

Fortinet reported that it has identified the root cause of the SAML SSO issue and is preparing a formal advisory and a fix. At this time, the company has only confirmed active exploitation involving FortiCloud SSO as the identity provider and has verified that FortiOS is impacted. However, Fortinet also stated that the underlying flaw affects other products using the same SAML SSO implementation, though it has not yet released a definitive list of affected platforms.

The company reiterates that the attacks were carried out entirely through legitimate administrative workflows following successful SSO authentication, allowing the threat actor to modify firewall policies, SSL VPN settings, and administrative access controls without deploying malware or exploiting traditional code execution vulnerabilities.

Fortinet also released indicators of compromise associated with the campaign, which align with the malicious administrative activity previously reported by researchers. The vendor recommends disabling FortiCloud SSO where possible, restricting administrative access, auditing all administrator accounts, and reviewing logs for the newly released indicators of compromise. Additional guidance will be published once patches are available.

Insights & recommendations

The report suggests that the risk likely extends to any Fortinet product acting as a SAML Service Provider, because the issue lies in Fortinet’s shared SAML validation process rather than in FortiCloud SSO itself. This includes products such as FortiGate, FortiProxy, and FortiAuthenticator when used in a Service Provider role. These systems rely on external identity providers to send SAML login messages, and the flaw affects how those messages are validated.

Fortinet confirmed that attackers used FortiCloud SSO during the intrusion, but the underlying issue is on the receiving side: FortiOS (and possibly other Service Provider–role products) may incorrectly accept a crafted SAML login message, allowing unauthorized access. In short, FortiCloud SSO was part of the attack path, but the actual vulnerability is in the Service Provider’s validation process, not in how the identity provider issues the login message.

Recommended mitigation steps:

Organizations should review where Fortinet products are using SAML Single Sign‑On, especially any devices acting as a SAML Service Provider such as FortiGate, FortiProxy, or FortiAuthenticator in SP mode. These systems rely on external identity providers for login assertions, and the current issue appears to affect how those assertions are verified. Because of this, any SAML‑based administrative login path should be treated as high‑risk until patches are available.

Until Fortinet releases patches and confirms exactly which products are impacted, teams should closely examine SAML based logins for unusual activity, review administrative access for unexpected changes, and look for signs of tampering or suspicious outbound connections from Fortinet appliances. 

FortiCloud SSO and FortiAuthenticator, when used as identity providers, are likely not directly vulnerable but may still appear in the attack chain, so any authentication activity involving them should be scrutinized. 

Most importantly, organizations should monitor Fortinet’s security updates, as the vendor has stated that a formal advisory, patches, and a definitive list of affected products are forthcoming.

Field Effect’s MDR continuously monitors customer environments for abnormal authentication activity, unexpected administrative access, and signs of SAML misuse long before an attacker can establish persistence. The platform correlates identity related events, network behavior, and device telemetry to spot anomalies such as unusual SSO logins, suspicious configuration changes, or crafted authentication attempts that would otherwise blend into normal traffic. Because Field Effect maintains deep, real-time visibility across endpoints, networks, and cloud services, its analysts can quickly identify and investigate indicators of SAML abuse, isolate affected systems, and block malicious access attempts. Combined with ongoing Field Effect Security Intelligence that tracks techniques like SAML assertion manipulation, the MDR service enables organizations to detect, contain, and respond to this class of attack even before vendor patches or advisories are available.

Field Effect MDR users will receive an ARO identifying any vulnerable instances, along with remediation guidance.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up