Full Report
Security failures rarely arrive loudly. They slip in through trusted tools, half-fixed problems, and habits people stop questioning. This week’s recap shows that pattern clearly. Attackers are moving faster than defenses, mixing old tricks with new paths. “Patched” no longer means safe, and every day, software keeps becoming the entry point. What follows is a set of small but telling signals.
Analysis Summary
This summary focuses only on vulnerability information explicitly detailed in the provided text.
# Vulnerability: Incomplete Patch for Fortinet SSO Authentication Bypass
## CVE Details
- CVE ID: CVE-2025-59718, CVE-2025-59719 (Mentioned together as the basis for the new exploitation)
- CVSS Score: Not specified
- CWE: Not specified
## Affected Systems
- Products: Fortinet Firewalls (specifically regarding the FortiCloud SSO feature)
- Versions: Devices that were "fully upgraded to the latest release at the time of the attack" but still vulnerable due to an incomplete patch for the base CVEs.
- Configurations: Where the FortiCloud SSO feature is enabled on affected devices.
## Vulnerability Description
The vulnerability is an authentication bypass affecting the FortiCloud Single Sign-On (SSO) implementation. Attackers can bypass SSO login authentication by sending specially crafted SAML messages to the device. This vulnerability appears to stem from an incomplete or improper patch previously deployed to address CVE-2025-59718 and CVE-2025-59719.
## Exploitation
- Status: Exploited in the wild (Confirmed fresh exploitation activity reported on "fully-patched firewalls").
- Complexity: Suggested to be Low, given the direct confirmation of successful attacks bypassing existing patches.
- Attack Vector: Network (Implied, as it uses crafted SAML messages over the network connection to the firewall/SSO service).
## Impact
- Confidentiality: Likely high (Authentication bypass could lead to unauthorized access).
- Integrity: Likely high (Unauthorized access can lead to integrity violations).
- Availability: Unknown/Not specified.
## Remediation
### Patches
- The article confirms Fortinet is working to "completely plug" the vulnerability, implying a subsequent/new patch is required beyond the older ones that were incomplete. (Specific patch version not provided in the text).
### Workarounds
- Restrict administrative access of edge network devices.
- Turn off FortiCloud SSO logins by disabling the `"admin-forticloud-sso-login"` setting.
## Detection
- Detection methods are not explicitly detailed beyond monitoring for the successful exploitation attempts themselves.
## References
- Vendor Advisory: Mentioned report confirms Fortinet is investigating: hxxps://thehackernews.com/2026/01/fortinet-confirms-active-forticloud-sso.html