Fortinet confirms critical FortiCloud auth bypass not fully patched

Recorded: Jan. 23, 2026, 12:05 p.m.

Original

News

Featured
Latest

Curl ending bug bounty program after flood of AI slop reports

INC ransomware opsec fail allowed data recovery for 12 US orgs

Cisco fixes Unified Communications RCE zero day exploited in attacks

Hackers exploit 29 zero-days on second day of Pwn2Own Automotive

Fortinet confirms critical FortiCloud auth bypass not fully patched

Okta SSO accounts targeted in vishing-based data theft attacks

This $35 Swifdoo PDF editor license lasts for life

Curl ending bug bounty program after flood of AI slop reports

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityFortinet confirms critical FortiCloud auth bypass not fully patched

Fortinet confirms critical FortiCloud auth bypass not fully patched

By Sergiu Gatlan

January 23, 2026
05:39 AM
0

Days after admins began reporting that their fully patched firewalls are being hacked, Fortinet confirmed it's working to fully address a critical FortiCloud SSO authentication bypass vulnerability that should have already been patched since early December.
This comes after a wave of reports from Fortinet customers about threat actors exploiting a patch bypass for the CVE-2025-59718 vulnerability to compromise fully patched firewalls.
Cybersecurity company Arctic Wolf said on Wednesday that the campaign began on January 15, with attackers creating accounts with VPN access and stealing firewall configurations within seconds, in what appear to be automated attacks. It also added that the attacks are very similar to incidents it documented in December, following the disclosure of the CVE-2025-59718 critical vulnerability in Fortinet products.

On Thursday, Fortinet finally confirmed these reports, stating that ongoing CVE-2025-59718 attacks match December's malicious activity and that it's now working to fully patch the flaw.
Affected Fortinet customers have also shared logs showing that the attackers created admin users after an SSO login from cloud-init@mail.io on IP address 104.28.244.114, which match indicators of compromise detected by Arctic Wolf while analyzing ongoing FortiGate attacks and December in-the-wild exploitation, as well as those shared by Fortinet on Thursday.
"Recently, a small number of customers reported unexpected login activity occurring on their devices, which appeared very similar to the previous issue. However, in the last 24 hours, we have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path," said Fortinet Chief Information Security Officer (CISO) Carl Windsor.
"Fortinet product security has identified the issue, and the company is working on a fix to remediate this occurrence. An advisory will be issued as the fix scope and timeline is available. It is important to note that while, at this time, only exploitation of FortiCloud SSO has been observed, this issue is applicable to all SAML SSO implementations."
Fortinet: Restrict admin access, disable FortiCloud SSO
Until Fortinet fully addresses the CVE-2025-59718 vulnerability, Windsor advised customers to restrict administrative access to their edge network devices via the Internet by applying a local-in policy that limits the IP addresses that can access the devices' administrative interfaces.
Admins should also disable the FortiCloud SSO feature on their Fortinet devices by going into System -> Settings -> Switch and toggling off the "Allow administrative login using FortiCloud SSO" option.
Fortinet customers who detect any of the IOCs while checking their devices for post-exploitation evidence are advised to treat "the system and configuration as compromised," rotate credentials (including any LDAP/AD accounts), and restore their configuration with a known clean version.
Internet security watchdog Shadowserver now tracks nearly 11,000 Fortinet devices exposed online that have FortiCloud SSO enabled. CISA also added CVE-2025-59718 to its list of actively exploited vulnerabilities on December 16 and ordered federal agencies to patch within a week.
BleepingComputer reached out to Fortinet several times this week with questions about these ongoing attacks, but the company has yet to respond.

The 2026 CISO Budget Benchmark
It's budget season! Over 300 CISOs and security leaders have shared how they're planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026.
Learn how top leaders are turning investment into measurable impact.
Download Now

Related Articles:
Hackers breach Fortinet FortiGate devices, steal firewall configsHackers exploit newly patched Fortinet auth bypass flawsFortinet warns of critical FortiCloud SSO login auth bypass flawsOver 25,000 FortiCloud SSO devices exposed to remote attacksSmarterMail auth bypass flaw now exploited to hijack admin accounts

Actively Exploited
Authentication Bypass
Bypass
FortiCloud
Fortinet
Single Sign-On
SSO

Sergiu Gatlan
Sergiu is a news reporter who has covered the latest cybersecurity and technology developments for over a decade. Email or Twitter DMs for tips.

Previous Article
Next Article

Popular Stories

Fortinet admins report patched FortiGate firewalls getting hacked

Hackers breach Fortinet FortiGate devices, steal firewall configs

Tesla hacked, 37 zero-days demoed at Pwn2Own Automotive 2026

Sponsor Posts

Identity Governance & Threat Detection in one: Get a guided tour of our platform

Overdue a password health-check? Audit your Active Directory for free

Discover how phishing kits are sold and deployed. Download the full research report.

Upcoming Webinar

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Username

Password

Remember Me

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

Fortinet is currently grappling with a critical security vulnerability affecting its FortiCloud SSO authentication system. The issue, initially flagged as CVE-2025-59718, has seen threat actors successfully exploiting fully patched FortiGate firewalls through a bypass mechanism. Cybersecurity firm Arctic Wolf first identified the campaign beginning on January 15, 2026, where attackers rapidly gained access to firewall configurations by leveraging VPN accounts and automating attacks. This occurred despite the devices having been updated to the latest release.

Fortinet confirmed these reports on Thursday, January 23, 2026, stating that the attacks closely mirrored previous activity linked to the same vulnerability, which was disclosed in December. The attackers were able to create administrative user accounts utilizing an SSO login from the IP address 104.28.244.114, mirroring indicators of compromise identified by Arctic Wolf and previously reported by Fortinet.

Chief Information Security Officer (CISO) Carl Windsor advised affected customers to immediately implement defensive measures, including restricting administrative access to edge network devices via a local-in policy, limiting access to specific IP addresses, and disabling the FortiCloud SSO feature through System -> Settings -> Switch, toggling off the “Allow administrative login using FortiCloud SSO” option. Windsor further instructed customers to treat any compromised systems as such, rotate credentials, and restore their configuration via a known clean version.

Shadowserver currently tracks approximately 11,000 Fortinet devices exposed online with FortiCloud SSO enabled. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-59718 to its list of actively exploited vulnerabilities on December 16, 2026, and ordered federal agencies to patch the system within a week. BleepingComputer has been attempting to obtain a response from Fortinet regarding these ongoing attacks, but as of yet, the company has not provided a direct response.

This vulnerability highlights a serious flaw in the security architecture of Fortinet's cloud-based services, necessitating immediate action by users to mitigate the risk of unauthorized access and data compromise. The situation underscores the importance of continuously monitoring security systems, promptly applying patches, and implementing robust access control measures, particularly for services relying on cloud-based authentication. The incident’s timeline, with the initial disclosure in December and subsequent exploitation commencing in January, illustrates the critical need for rapid responses to emerging vulnerabilities within the cybersecurity landscape.