Fortinet is currently developing a comprehensive fix for a FortiCloud SSO authentication bypass vulnerability after discovering that attackers are successfully targeting already patched firewalls. The company’s security team identified a new attack path that allows hackers to circumvent existing security updates and gain unauthorized access through manipulated SAML messages.
Fortinet recently disclosed that their security team has identified several instances where the exploit was successful against devices running the most recent software updates. This development suggests that the initial patches were insufficient to block all possible entry points for the authentication bypass. The company's Chief Information Security Officer confirmed that the renewed activity indicates a sophisticated method of circumventing the previous fixes for the known vulnerabilities.
The security issue fundamentally involves a bypass of protections originally designed to address two specific vulnerabilities related to SSO login authentication. If the FortiCloud SSO feature is active on an appliance, an unauthenticated attacker can use specially crafted messages to gain administrative access. Although these issues were thought to be resolved last month, recent reports show that the threat has evolved to bypass those specific remediations.
During these latest incidents, malicious actors have been observed logging into FortiGate appliances using administrative accounts even on systems that were fully updated. This pattern of behavior closely mirrors the unauthorized access events seen in late 2024. Once inside the system, the attackers typically create generic user accounts to maintain a permanent presence and modify settings to grant themselves VPN access.
In addition to gaining persistence, the threat actors have been seen stealing firewall configuration files and sending them to remote IP addresses. Investigators have flagged specific account names, such as cloud-noc and cloud-init, which the attackers use to mask their activities. While current attacks have focused on FortiCloud SSO, the security vendor warned that the underlying logic flaw could potentially affect all types of SAML SSO implementations.
To protect systems while a permanent fix is finalized, Fortinet recommends that administrators take immediate preventative steps. This includes restricting internet-based administrative access through local policies and completely disabling the FortiCloud SSO login feature. By cutting off the vulnerable authentication path, organizations can prevent the current exploit from being used to compromise their network infrastructure.
Source: Fortinet Confirms Active FortiCloud SSO Bypass On Patched FortiGate Firewalls