Posted inSafety Toolbox Talk

FortiCloud SSO Bypass Toolbox Talk 2026

forticloud sso bypass

Meeting details

Date: January 23, 2026

Topic: FortiCloud SSO Bypass Vulnerabilities

Goal: This toolbox talk on forticloud sso bypass will review the Fortinet FortiCloud SSO Bypass Incident and prevent similar security breaches in 2026.

The incident: what happened?

Fortinet identified a new attack path exploiting forticloud sso bypass vulnerabilities, specifically CVE-2025-59718 and CVE-2025-59719, in upgraded FortiOS, FortiWeb, FortiProxy, and FortiSwitch Manager devices with FortiCloud SSO enabled. These flaws were initially discovered through an internal code audit in December, with the advisory published prior to January 23, 2026. Attackers gained unauthenticated access by crafting malicious SAML requests, and there was evidence of active exploitation even on fully patched systems. Suspicious logins originated from accounts such as cloud-noc@mail.io and cloud-init@mail.io, routed through IP addresses including 104.28.244.115, 104.28.212.114, 37.1.209.19, and 217.119.139.50—some protected by Cloudflare infrastructure.

Following initial access, threat actors established persistence by creating local administrator accounts with names mimicking legitimate roles, such as audit, backup, itadmin, secadmin, or support. This incident highlights how internet-exposed admin interfaces on these devices enabled remote exploits from shifting attacker infrastructure, turning a seemingly secure, upgraded product into a gateway for unauthorized control. The forticloud sso bypass chain allowed attackers to bypass authentication entirely, underscoring the dangers of misconfigured SSO features in critical network security appliances.

Core safety lesson

Fortinet’s internal audit revealed critical flaws in the SSO implementation, where crafted SAML requests tricked the system into granting access without proper verification. Even upgraded and patched devices were vulnerable, proving that software updates alone do not eliminate all risks from flawed authentication paths.

The Hazard 1: Unauthenticated SSO bypass via crafted SAML requests, allowing attackers to gain initial access on FortiCloud-enabled devices.

The Control 1: Immediately disable the FortiCloud SSO feature and implement local-in policies to restrict admin interface access to trusted IPs only.

This control is non-negotiable because it severs the primary attack vector at the source. Relying on SSO convenience exposes systems to remote exploitation from any internet-connected IP, as seen with the listed attacker IPs. By disabling it and whitelisting trusted sources, supervisors ensure that only verified internal networks can reach admin portals, preventing forticloud sso bypass attempts entirely.

The Hazard 2: Post-authentication creation of rogue admin accounts named audit, backup, itadmin, secadmin, or support for persistence.

The Control 2: Audit all admin accounts for unauthorized entries, restore from known clean configurations, and rotate all credentials, including LDAP/AD-linked ones.

Account proliferation is a classic persistence tactic; without rigorous auditing, attackers maintain backdoors indefinitely. This control enforces zero-trust verification, restoring integrity and forcing credential refreshes to evict intruders.

The Hazard 3: Internet-exposed admin interfaces enabling remote exploits from any IP.

The Control 3: Enforce out-of-band (non-Internet) admin access as best practice, and upgrade to the latest firmware like FortiOS 7.6 for enhanced security features.

Public exposure is the root enabler of forticloud sso bypass; shifting to isolated management networks eliminates this, while firmware upgrades patch evolving threats. These layered defenses are essential for site reliability in 2026.

Supervisor’s discussion guide

Lead a 3-5 minute crew discussion using these questions to reinforce awareness:

  1. Q1: “Looking at our own equipment today, where is the biggest risk of forticloud sso bypass or similar authentication flaws?”
  2. Q2: “Have we audited our admin accounts recently, and what suspicious names like ‘audit’ or ‘itadmin’ might indicate compromise?”
  3. Q3: “Which of our network devices have internet-exposed admin interfaces, and how can we enforce out-of-band access?”
  4. Q4: “What steps will we take today to disable unnecessary SSO features and restrict access to trusted IPs?”

Action plan & inspection

Conduct these 5 immediate checks post-meeting and document completion:

  • Disable FortiCloud SSO on all affected FortiOS, FortiWeb, FortiProxy, and FortiSwitch Manager devices.
  • Implement local-in policies restricting admin access to trusted IPs only; test from an untrusted IP to verify denial.
  • Audit all admin accounts, delete any unauthorized ones (e.g., audit, backup, itadmin, secadmin, support), and rotate credentials.
  • Verify no internet-exposed admin interfaces; migrate to out-of-band management where possible.
  • Upgrade firmware to the latest versions (e.g., FortiOS 7.6) and review logs for suspicious logins from IPs like 104.28.244.115 or accounts like cloud-noc@mail.io.

Key takeaways

The Fortinet forticloud sso bypass incident demonstrates that even upgraded, patched security devices can fall to crafted authentication exploits if core features like SSO are not hardened. Supervisors must prioritize disabling high-risk features, auditing accounts, and isolating admin access to prevent unauthenticated entry and rogue persistence. These controls transform potential vulnerabilities into fortified defenses, ensuring operational continuity.

In 2026, proactive measures like trusted IP policies, credential rotations, and out-of-band management are non-negotiable for every site. By addressing forticloud sso bypass risks head-on, we safeguard against real-world threats evidenced by attacker IPs and tactics, fostering a culture of vigilance that protects our networks and teams.

Source & Disclaimer: This toolbox talk is for educational purposes based on public report. Read Original Report