Fortinet has admitted that its FortiGate firewalls are still vulnerable to exploits, only a month after patching similar vulnerabilities. After seeing similar upsurge of malicious activity related to SSO exploitations that were recently covered by its FortiCloud service, the affected company identified their FortiCloud service. This is a troubling attack that has serious implications for the security of all devices. Popular opinion held that these devices had been fully patched against known vulnerabilities CVE-2025-59718 and CVE-2025-59719.
Carl Windsor, Fortinet’s Chief Information Security Officer, shared the shocking discoveries in a blog post on Thursday. He shared that the company was seeing more of these generic accounts crop up. These accounts ensured constant access and made it easy to configure accounts to allow VPN access. According to reports, attackers have exfiltrated firewall configurations to their own IP addresses. This indicates a shocking and dangerous violation of security protocols.
Continued Exploitation of FortiCloud SSO
Fortinet is clearly concerned that this FortiCloud SSO continues to be actively abused. They have seen the first malicious logins aimed at admin accounts on devices that had been patched in advance. This indication cannot be understated. Attackers are using more advanced techniques to evade presently deployed security measures.
“It is important to note that while, at this time, only exploitation of FortiCloud SSO has been observed, this issue is applicable to all SAML SSO implementations,” stated Fortinet. This highlights the deep, far-reaching potential for other sorts of vulnerabilities in all security systems that use SAML SSO.
Historical Context of Vulnerabilities
This recent increase in badness is completely in line with what we experienced back in December. This increase came after the announcement of the pair of install-base vulnerabilities, CVE-2025-59718 and CVE-2025-59719. From the timing of this disclosure, it looks like a concerted effort to take advantage of such weaknesses even after Fortinet’s efforts to protect its devices.
Carl Windsor added, “In the last 24 hours, we have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path.” This declaration highlights the need for users to be proactive and find ways to protect their networks now.
Recommended Security Measures
Similarly, Fortinet has found these risks. As such, they recommend that users minimize administrative exposure to edge network devices from the internet through the use of a local-in policy. In addition to this, the company advises that organizations disable FortiCloud SSO logins altogether by turning off the feature “admin-forticloud-sso-login”.
Fortinet adopts these measures to maximize security integrity. Through their efforts, they aim to minimize the security risks associated with generic accounts and the possibility of configuration drifts.
