A widespread and dangerous belief has been circulating in the security world for years: “if it’s patched, it’s safe” . The case of FortiCloud SSO administrative access to FortiGate devices demonstrates, once again, how this statement is not only incomplete, but in some contexts profoundly misleading.
From December 2025 to today, we are in fact observing real-world compromises of perfectly updated FortiGate firewalls , characterized by malicious configuration changes , creation of persistent administrative accounts , and exfiltration of configuration files . All this without resorting to new zero-days or particularly noisy attack techniques.
The vector is not unknown. It is known, documented, and—most importantly— still operational : FortiCloud SSO .
In early December 2025, two critical vulnerabilities were disclosed:
Both enable an authentication bypass in the FortiCloud SSO mechanism , allowing an unauthenticated remote actor to gain administrative access to FortiOS devices when cloud SSO is enabled.
Fortinet released the official patches on December 9, 2025 , assigning the vulnerabilities a CVSS 9.8 . The message was clear: update immediately. But, as often happens, operational reality followed a different path.
According to researchers at Arctic Wolf , malicious SSO login activity begins appearing almost immediately after public disclosure , in some cases before many organizations have a chance to patch .
This is a crucial step, because it marks a watershed moment: cloud management becomes a privileged access vector , independent from the traditional exposure of local management interfaces.
From January 15, 2026 , again according to Arctic Wolf , the phenomenon will evolve clearly: no longer isolated events, but a structured and automated campaign .
The observed pattern is as follows:
This all happens in a few seconds , with a sequence that clearly suggests the use of scripts to automate the attack.
Arctic Wolf makes it clear in no uncertain terms:
It is not known at this time whether the latest threat activity observed is fully covered by the patch that initially addressed CVE-2025-59718 and CVE-2025-59719.
This explains why many affected organizations claim to have:
Yet the firewall is modified ” from the inside” , with administrative privileges.
FortiCloud SSO was created to simplify management and support activities and is, in the perception of many administrators, a reliable and secure tool by definition , because it is provided directly by the vendor and natively integrated into the product.
Precisely for this reason, when it remains active without adequate hardening, it tends not to be treated as a truly critical administrative access channel .
In fact, FortiCloud SSO exposes cloud-based access with elevated privileges, often not limited by IP address, rarely subject to stringent controls, and, above all, less monitored than traditional local management interfaces. Not because it is considered “weak,” but because it is perceived as intrinsically trusted .
The result is that the attacker doesn’t have to force access : he uses it.
And it is precisely this apparent legitimacy , combined with the implicit trust in the cloud channel, that makes the vector so effective and difficult to identify during the detection phase.
Data from the Shadowserver Foundation helps put the scale of the problem into perspective:
We’re not talking about test environments or forgotten labs. We’re talking about perimeter firewalls in production , often in enterprise, MSP, and public administration contexts.
For Indicators of Compromise (IoCs) associated with this campaign — including malicious SSO login patterns, persistent administrative account creation, configuration change sequences, and exfiltration events — please refer directly to the technical analysis published by Arctic Wolf , which provides a detailed and up-to-date list based on real-world observations.
Given the rapidly evolving nature of the activity and the automated nature of the attacks, relying on the primary source helps avoid duplication and keep detection aligned with the most recent indicators.
From an immediate mitigation perspective, Fortinet has provided a temporary workaround for the CVE-2025-59718 and CVE-2025-59719 vulnerabilities, which is also relevant in light of the activity currently observed, involving administrative access via FortiCloud SSO.
If FortiCloud SSO is enabled , it may be appropriate to temporarily disable it until definitive remediation guidance is available.
Disabling FortiCloud SSO from the CLI
config system global set admin-forticloud-sso-login disable endSo long asconfig system global set admin-forticloud-sso-login disable end
Since the initial login mechanism is not yet fully understood , it is not possible to state with certainty that this workaround is fully effective against all variants of the ongoing campaign . However, disabling cloud SSO significantly reduces the attack surface and disrupts one of the main vectors observed so far.
Pending further clarification from the vendor, reducing exposure remains the most rational measure , to be combined with auditing activities, log monitoring, and reviewing administrative access.
This case highlights a broader, structural problem: the attack surface has shifted to cloud management , “legitimate” access has become the new vector, and the obsessive focus on CVEs obscures the configurable risk.
The FortiGate / FortiCloud SSO case is not an anomaly. It’s a clear sign of how cloud management is becoming the new perimeter to defend . Attacks no longer come from exploits alone. They come from forgotten logins , from services left running , from blind reliance on patching. And as often happens, Shadowserver numbers arrive long before incident reports .
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
