Fortinet Confirms Active SSO Bypass on Fully Patched FortiGate Firewalls

Security Alert: Patched Firewalls Under Siege

Fortinet has confirmed a disturbing new development: hackers are successfully bypassing FortiCloud SSO (Single Sign-On) authentication even on devices running the latest patches. Kian Technologies identifies this as a "New Attack Path" targeting the core authentication logic of FortiOS.

The Attack Signature: How Hackers Gain Persistence

Attackers are using crafted SAML messages to gain administrative access. Once inside, they typically execute a specific playbook:

• Account Creation: Creating rogue accounts like cloud-noc@mail.io for long-term access.
• VPN Modification: Changing configuration to allow persistent VPN tunnels.
• Config Exfiltration: Stealing the entire firewall configuration file to map out internal networks.

Critical Mitigations

Until a comprehensive "new-path" patch is released, Kian Technologies advises these immediate actions:

• Disable FortiCloud SSO: Navigate to System > Settings and turn off "Allow administrative login using FortiCloud SSO."
• Apply Local-In Policies: Restrict administrative access to specific, trusted management IP addresses only.
• Audit Admin Logs: Search for any unauthorized account creations or configuration exports.

Become a Malware Analysis Expert As hackers switch to modern languages like Golang to build evasive tools, the industry needs experts who can deconstruct and stop these threats. Join the Best Ethical Hacking Institute in Bhilai & Raipur: Learn Malware Analysis, Reverse Engineering, and Advanced Threat Hunting. Enroll now to start your journey in Cybersecurity!