Fortinet admits FortiGate SSO bug still exploitable despite December patch

Steven

Fortinet admits FortiGate SSO bug still exploitable despite December patch

Summary

Fortinet has confirmed that attackers are still able to bypass a December patch for a critical SAML-based single sign-on (SSO) authentication flaw affecting FortiOS, after customers reported unexpected logins on supposedly patched devices. The vendor says it has identified an alternate attack path being used against FortiCloud SSO and is investigating a fix; exploitation so far appears automated and has resulted in firewall reconfiguration, creation of backdoor admin accounts and exfiltration of configuration files.

Key Points

  • Fortinet acknowledged active exploitation of a FortiCloud SSO vulnerability despite a December patch for the original flaw.
  • Investigators identified a new attack path abusing SAML-based SSO in FortiOS, impacting systems thought to be up to date.
  • Observed attacker activity (from around 15 January) included rapid creation of VPN-enabled accounts, ripping out firewall configs and adding admin users — suggesting automation.
  • Arctic Wolf and other responders noted the campaign resembles incidents seen following the December disclosure.
  • Fortinet warns the underlying weakness applies to all SAML SSO implementations, not just FortiCloud SSO.
  • Fortinet is working on a remediation and will issue an advisory when scope and timeline are clear; technical details of the new attack path have not been published yet.
  • Interim mitigations: review authentication logs for unusual activity, restrict management-interface exposure and monitor changes to administrator accounts.

Context and relevance

This story matters because FortiGate firewalls are widely deployed at enterprise edges and in service provider networks. A bypassable SSO auth flaw that persists after a patch raises the risk of widespread, rapid compromise — particularly where attackers use automation to harvest configs and create persistent backdoors. The vendor’s warning that the issue is relevant to all SAML SSO implementations broadens the potential impact beyond Fortinet customers, feeding into ongoing concerns about SSO/SAML attack surfaces and supply-chain style exposures in security infrastructure.

Author style

Punchy — critical development, active exploitation, and a vendor scramble to close a new attack path. Read the detail if you manage network security, infra or identity; the implications are immediate and operational.

Why should I read this?

Short version: patching once didn’t cut it and attackers are still getting in. If you run FortiGates (or rely on SAML SSO), this affects you now — check your logs, lock down management access and keep an eye out for Fortinet’s follow-up advisory. We’ve skimmed the noise so you don’t have to.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/01/23/fortinet_fortigate_patch/