Full Report
Fix didn't quite do the job – attackers spotted logging in Fortinet has confirmed that attackers are actively bypassing a December patch for a critical FortiCloud single sign-on (SSO) authentication flaw after customers reported suspicious logins on devices supposedly fully up to date.…
Analysis Summary
# Vulnerability: Bypass of Fortinet FortiCloud SSO Authentication Patch
## CVE Details
- CVE ID: Not explicitly provided in the text (likely related to a previously patched CVE based on context).
- CVSS Score: Not explicitly provided in the text.
- CWE: Related to Authentication Bypass/Improper Authentication.
## Affected Systems
- Products: FortiOS (implying FortiGate firewalls utilizing SAML SSO).
- Versions: Systems that had already applied the **December patch** for the previous SSO authentication flaw. Specific vulnerable versions for this *new* bypass path are not yet specified.
- Configurations: SAML-based Single Sign-On (SSO) implementations, explicitly noted as applicable to **all SAML SSO implementations**, not just FortiCloud SSO.
## Vulnerability Description
Attackers have discovered a **fresh attack path** allowing them to bypass the security measures implemented in the December patch designed to fix a critical FortiCloud SSO authentication flaw. This allows threat actors to abuse SAML-based SSO functionality, leading to unauthorized logins. This bypass has been confirmed active against systems running the vendor's latest available release at the time of the attack.
## Exploitation
- Status: **Exploited in the wild** (Attackers are actively bypassing the previous fix).
- Complexity: Implied as **Low to Medium** due to reports of automated activity ("spinning up VPN-enabled accounts and ripping out firewall configuration files in a matter of seconds").
- Attack Vector: **Network** (via compromised SSO accounts/SAML implementation).
## Impact
- Confidentiality: **High** (Attackers exfiltrated configuration files).
- Integrity: **High** (Attackers altered firewall settings and created backdoor admin users).
- Availability: **Medium** (Potential for service disruption or configuration tampering impacts availability).
## Remediation
### Patches
- No new specific patch version is available yet. Fortinet is investigating and **working on a new fix**. An advisory detailing the scope and timeline will be issued once available.
### Workarounds
- Review authentication logs for any unexpected login activity.
- Restrict exposure of the management interface.
- Closely monitor changes to administrator accounts.
## Detection
- **Indicators of Compromise (IoCs):** Unexpected or suspicious login activity on SSO-integrated devices.
- **Detection methods and tools:** Review of authentication logs for anomalies; monitoring for rapid configuration changes using compromised SSO accounts.
## References
- Vendor Advisory: Fortinet advisory published detailing investigation: `https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios`