1-855-263-7328
Security Portal Login
1-855-263-7328
Security Portal Login

Critical Enterprise Risk

In today’s interconnected enterprise environments, firewalls represent the first and last line of defense. They sit at the network perimeter, enforce access controls, inspect traffic, and protect critical internal systems.

Yet, in the last 24 hours, a serious and unsettling security development has emerged:

Fortinet FortiGate firewalls are being actively compromised through a FortiCloud SSO authentication bypass-including devices that are fully patched and up to date.

This is not a theoretical vulnerability. This is active exploitation in the wild.

What’s Happening: The Latest Threat Intelligence

Fortinet has confirmed that attackers are abusing a FortiCloud Single Sign-On (SSO) authentication bypass to gain unauthorized administrative access to FortiGate appliances.

What makes this incident particularly dangerous is that:

  • The attacks are succeeding even on patched systems
  • Exploitation appears automated and fast-moving
  • Attackers are leaving behind persistent administrative backdoors

Once access is obtained, threat actors have been observed:

  • Creating rogue admin accounts
  • Exporting firewall configuration data
  • Modifying security policies
  • Establishing persistence for future access
  • Potentially pivoting into VPN and internal networks

Multiple independent security researchers and incident responders have now confirmed real-world compromises, not lab demonstrations.

Why This Is a Critical Enterprise Risk

1. Firewalls Are High-Impact Assets

A compromised firewall is not just another endpoint.

It allows attackers to:

  • Observe and manipulate network traffic
  • Weaken or disable security controls
  • Expose internal systems
  • Enable lateral movement across environments

One compromised FortiGate can undermine the entire security architecture behind it.

2. “Patched” No Longer Means “Safe”

Fortinet previously released fixes addressing FortiCloud SSO bypass vulnerabilities. However, recent activity indicates that:

  • Remediation may be incomplete
  • Alternative authentication paths are being abused
  • Certain configurations remain exploitable when FortiCloud SSO is enabled

This breaks a long-standing assumption in security operations:

That patching alone equals risk elimination

In modern attacks, it doesn’t.

3. Attacks Are Automated and Scalable

Evidence suggests attackers are using scripts to:

  • Scan for exposed FortiGate devices
  • Perform SSO bypasses in seconds
  • Create admin accounts automatically
  • Exfiltrate sensitive configuration data

This drastically reduces attacker effort and increases victim count - a dangerous combination.

Immediate Actions Security Teams Should Take

This is not a “monitor and wait” situation. Immediate action is required.

1. Identify FortiCloud SSO Usage

Inventory all FortiGate devices and determine where FortiCloud SSO is enabled. This feature is currently the primary attack vector.

2. Disable FortiCloud SSO Where Possible

If business operations allow, temporarily disable FortiCloud SSO until Fortinet confirms full remediation.

3. Patch Aggressively-But Don’t Stop There

Ensure all devices are running the latest Fortinet-recommended firmware, while recognizing that patching alone may not be sufficient.

4. Lock Down Administrative Access

  • Remove public exposure of admin interfaces
  • Restrict access to trusted internal IPs
  • Use jump hosts and segmented management networks

5. Hunt for Indicators of Compromise

Specifically look for:

  • Unexpected admin accounts
  • Suspicious SSO login events
  • Configuration exports
  • Firewall rule changes
  • New or modified VPN access

Early detection is the difference between containment and full compromise.

What This Incident Teaches the Security Community

This FortiGate campaign reinforces a hard truth:

Security is no longer about fixing individual vulnerabilities-it’s about reducing attack paths.

Authentication features like SSO improve usability, but they also:

  • Expand the attack surface
  • Create single points of failure
  • Become high-value targets for adversaries

“Patched equals secure” is an outdated mindset.

Security teams must assume:

  • Attackers will find bypasses
  • Controls can fail silently
  • Continuous monitoring is non-negotiable
Final Thought

This is not just a Fortinet issue. It’s a reminder that perimeter trust, authentication assumptions, and convenience-driven configurations must be constantly re-evaluated.

Attackers are fast. They adapt quickly. And they exploit what we trust most.

Stay alert. Reduce exposure. Monitor relentlessly.

About COE Security

COE Security supports organizations across finance, healthcare, government, consulting, technology, real estate, and SaaS.

We help reduce SaaS, identity, and infrastructure risk through:

  • Threat detection & response
  • Cloud and network security
  • Identity and access risk reduction
  • Secure development practices
  • Compliance and GRC advisory
  • Security assessments and resilience programs

Follow COE Security on LinkedIn to stay cyber-safe and resilient.

Click to read our LinkedIn feature article