"However, earlier this week, reports emerged of renewed activity in which malicious SSO logins on FortiGate appliances were recorded against the admin account on devices that had been patched against the twin vulnerabilities. The activity involves the creation of generic accounts for persistence, making configuration changes granting VPN access to those accounts, and the exfiltration of firewall configurations to different IP addresses."
"The threat actor has been observed logging in with accounts named "cloud-noc@mail.io" and "cloud-init@mail.io." As mitigations, the company is urging the following actions - Restrict administrative access of edge network device via the internet by applying a local-in policy Disable FortiCloud SSO logins by disabling "admin-forticloud-sso-login" "It is important to note that while, at this time, only exploitation of FortiCloud SSO has been observed, this issue is applicable to all SAML SSO implementations,""
Fortinet confirmed ongoing efforts to address a FortiCloud SSO authentication bypass after detection of exploitation against fully-patched FortiGate devices. The bypass subverts patches for CVE-2025-59718 and CVE-2025-59719, enabling unauthenticated SSO login bypass via crafted SAML messages when FortiCloud SSO is enabled. Attackers have used the flaw to access admin accounts, create generic persistent accounts, modify configurations to grant VPN access, and exfiltrate firewall configurations to other IP addresses. Observed attacker account names include cloud-noc@mail.io and cloud-init@mail.io. Fortinet recommends restricting administrative internet access with local-in policies and disabling FortiCloud SSO logins via the admin-forticloud-sso-login setting.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]