heise PlusAbo
Anzeige

Fortinet continues to combat ongoing SSO admin attacks

Attackers have been targeting various Fortinet products for some time. A functional security update is still missing.

listen Print view
Stylized image with reddish circuit board traces, an open padlock in the foreground, and the words Data Leak, Security, Exploit found

(Image: Black_Kira/Shutterstock.com)

2 min. read
Security
By

Attackers are still targeting FortiOS, FortiManager, and FortiAnalyzer with FortiCloud SSO login enabled, creating admin accounts. This allows them to gain full control over devices. A functional security patch is not yet available. However, devices are said to be temporarily protected by a server-side setting from Fortinet.

FortiCloud SSO is not active by default. Caution: If administrators register devices via FortiCare, SSO is automatically activated. Fortinet has been struggling with “critical” SSO vulnerabilities (CVE-2025-59718, CVE-2025-59719) since last December and has released security patches. Attacks have been occurring since then.

In January, it became apparent that attackers could bypass security updates and continue to attack devices. Fortinet has now published a post with background information on the ongoing attacks. Among other things, administrators can find indicators of compromise (IoC) there to identify attacked instances.

Additionally, the company has published a security advisory and included a new zero-day vulnerability (CVE-2026-24858, “critical”) in the context of the SSO attacks.

Devices Temporarily Protected According to Fortinet

Attackers exploit the vulnerability with crafted SAML requests, bypassing authentication. Fortinet points out that they have currently observed attacks in the context of FortiCloud SSO, but the security issue applies to all SAML SSO implementations.

According to Fortinet, security patches are under development. However, it is unclear when they will be released. To mitigate the risk until updates are available, Fortinet states that they have blocked FortiCloud SSO access for vulnerable devices. Consequently, administrators no longer need to manually disable SSO login as previously recommended.

Videos by heise

According to the company, FortiAnalyzer 6.4, FortiManager 6.4, and FortiOS 6.4 are not vulnerable based on current knowledge. FortiProxy 7.0 and 7.2 will not receive security updates. An upgrade is necessary in this case. The vulnerability of FortiSwitch Manager and FortiWeb is currently being investigated. Further information on the announced security patches can be found in the security advisory.

(des)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten