Fortinet confirms FortiCloud SSO exploitation against patched devices after attackers used a single sign-on flaw to access some systems. The company said the issue affected FortiCloud users despite recent security updates.
Fortinet confirms exploitation of FortiCloud SSO flaw
Fortinet acknowledged that threat actors exploited a vulnerability in FortiCloud’s single sign-on (SSO) functionality. The exploitation occurred even on devices that had received patches for related issues. Fortinet said it is investigating the activities and working to understand the full impact.
Details of the issue
The SSO flaw allowed attackers to bypass normal authentication controls under certain conditions. While Fortinet issued patches for known vulnerabilities, the exploitation showed that the SSO mechanism could still be abused in some configurations. Fortinet said it has identified indicators of compromise and is sharing guidance with customers.
Patched devices were not fully protected
Fortinet confirmed that some patched devices were accessed because the SSO exploit did not require unpatched software on the endpoint itself. The attackers leveraged weaknesses in the FortiCloud authentication process, which sits outside the device’s local patch status. As a result, systems thought to be secure were still at risk.
Response and mitigation steps
Fortinet said it is working with affected customers and security partners to contain the incident. The company recommended that customers review login activity, enforce multi-factor authentication (MFA), and apply additional controls where possible. Fortinet also said it is refining its detection and response capabilities for FortiCloud services.
Customer and industry impact
The confirmation raised concerns among enterprises that rely on FortiCloud and Fortinet SSO for centralized access management. Security experts said the case highlights how cloud-based authentication services can become critical attack targets. Organisations using FortiCloud were urged to audit access logs and strengthen identity controls.
Conclusion
Fortinet confirms that FortiCloud SSO exploitation affected some patched systems, prompting guidance on additional protections such as MFA and monitoring to reduce future risk. The company continues to investigate and support customers following the incident.
Source: https://www.securityweek.com/fortinet-confirms-forticloud-sso-exploitation-against-patched-devices/
