Systems Engineering is closely monitoring a critical security situation involving Fortinet FortiOS. Recent analysis has identified a sophisticated exploitation technique targeting the Single Sign-On (SSO) mechanism, allowing unauthorized administrative access to affected devices. Additionally, we are continuing our response to a separate high-severity vulnerability released earlier this month.
Understanding the Threat: SSO Abuse on FortiOS
Fortinet recently published a detailed analysis regarding the abuse of Single Sign-On (SSO) on FortiOS. Threat actors are utilizing crafted Security Assertion Markup Language (SAML) assertions to bypass authentication and gain full administrative control of FortiGate devices.
Once access is gained, attackers operate within legitimate management workflows to modify firewall policies, alter SSL VPN settings, and create persistent local administrative accounts. This method is particularly dangerous because it leverages authorized administrative paths rather than traditional malware.
Key Indicators of Compromise (IoC)
Based on current threat intelligence, the following indicators have been observed in active campaigns:
-
Malicious SSO Accounts: Logins using accounts such as
cloud-noc@mail.ioorcloud-init@mail.io. -
Unauthorized Local Accounts: The creation of new local administrator accounts with names such as
audit,backup,itadmin,secadmin, orsupport. -
Malicious IP Addresses: Authentication attempts originating from specific known malicious IPs, including those protected by Cloudflare (e.g.,
104.28.244.115,104.28.212.114).
Our Response and Mitigation Strategy
Systems Engineering is taking proactive steps to protect our clients while a formal patch for the SSO vulnerability is finalized.
- Inherent Protections for Existing Clients: It's important to note that Systems Engineering's robust standard build already includes mitigations designed to prevent this type of exploitation. We are also pushing additional security controls where appropriate to further harden these environments while we await the official vendor patch.
-
Ongoing Partnership with Fortinet: We are aware that a definitive patch for this specific SSO exploit has not been released as initially anticipated. We are working directly with our Fortinet partnership to determine a timeline for a fixed release and will provide updates as soon as they become available.
-
Active Monitoring via SE EventWatch: Our EventWatch Service is already equipped to alert our security team if any known Indicators of Compromise are detected. This includes monitoring for the specific malicious IPs and the unauthorized creation of local accounts identified by Fortinet.
-
Dual-Track Patching Efforts: While we prepare for the critical SSO update, we are continuing our existing efforts to patch the high-severity vulnerability released in January (FG-IR-25-084). This separate vulnerability, involving a heap-based buffer overflow in the management daemon, remains a priority for our maintenance teams. Once the release for the critical SSO vulnerability is available, we will launch a secondary patching phase to address it across all managed environments.
Recommendations for Administrators
Until a formal patch is released for the SSO abuse vulnerability, we recommend the following best practices:
-
Restrict Administrative Access: Utilize local-in policies to restrict administrative interface access to specific, trusted IP addresses only.
-
Audit Administrative Accounts: Regularly review all local and SSO-linked administrative accounts for any unexpected or unauthorized entries.
-
Disable Unused Services: Where operationally feasible, disable FortiCloud SSO or external management interfaces until the vendor provides further guidance.
Systems Engineering will continue to monitor the situation and will begin patching as soon as a fix is released. For questions regarding your specific environment, please contact your Account Manager.
