Stop SSO Bypass Attacks on FortiGate With AI Signals

AI in Cybersecurity••By 3L3C

FortiGate SAML SSO bypass attacks are active. Learn how AI-powered detection flags anomalous admin logins and config exports before damage spreads.

fortinetssosamlvulnerability-managementai-security-analyticsthreat-detection
Share:

Featured image for Stop SSO Bypass Attacks on FortiGate With AI Signals

Stop SSO Bypass Attacks on FortiGate With AI Signals

Most orgs treat SSO as a convenience feature. Attackers treat it as a shortcut.

This week’s Fortinet FortiGate SAML SSO authentication bypass campaign is a clean reminder that identity is part of your perimeter, especially when the identity flow ends at an internet-exposed firewall or VPN gateway. Two critical CVEs (CVE-2025-59718 and CVE-2025-59719, both scored 9.8) are being exploited to bypass authentication using crafted SAML messages when FortiCloud SSO is enabled.

What’s frustrating is that this isn’t only a “patch faster” story (though you should). It’s also an “observe smarter” story. In the AI in Cybersecurity series, we keep coming back to the same theme: the teams that fare best aren’t the ones with perfect prevention—they’re the ones that can detect abnormal behavior quickly and respond automatically when prevention fails.

What’s happening in the FortiGate SAML SSO bypass attacks

The core issue is simple: attackers can log in without valid credentials by sending crafted SAML messages, if the FortiCloud SSO feature is enabled on the device.

That “if” is doing a lot of work. FortiCloud SSO is disabled by default, but it can be enabled during FortiCare registration unless an admin explicitly disables “Allow administrative login using FortiCloud SSO.” In practice, that means some environments have SSO enabled without realizing they expanded the admin authentication surface area.

Arctic Wolf reported observing malicious SSO logins against FortiGate appliances on December 12, 2025, using infrastructure tied to a limited set of hosting providers. Post-login activity included exporting device configurations via the GUI—a move that shifts the incident from “access” to “asset capture,” because config exports can contain hashed credentials, secrets, network topology clues, and policy logic.

Why config exports are a big deal (even with hashed creds)

A lot of teams shrug at “hashed passwords in configs.” Attackers don’t.

Once configs are exfiltrated, adversaries can:

  • Attempt offline hash cracking, especially against weak or reused admin passwords
  • Identify VPN settings, admin portals, management IP ranges, and trusted hosts
  • Map segmentation rules and find “quiet paths” between zones
  • Spot credential reuse patterns across devices and environments

This is why incident responders often treat firewall config theft the way they treat password database theft: assume compromise and rotate.

Why SSO on security appliances is a high-risk convenience

SSO reduces password sprawl and improves admin experience. But putting SSO on a firewall admin plane has a unique downside: a single auth flaw can become a perimeter breach.

Here’s the stance I’ll take: if an authentication system sits in front of your network choke points (firewalls, VPN concentrators, proxies), it deserves stricter controls than typical app logins.

The hidden risk: “SSO is enabled without anyone noticing”

This Fortinet case highlights a pattern that shows up in real incidents:

  1. A feature is “off by default.”
  2. A registration workflow or integration wizard turns it on.
  3. The environment drifts.
  4. Nobody reviews the admin-plane attack surface until there’s a KEV deadline.

If you’re running change management tightly, you may catch it. If you’re running fast (and most teams are), you probably won’t.

Why attackers love opportunistic SSO exploitation

Arctic Wolf characterized the observed activity as opportunistic. That tracks with how modern exploitation waves work:

  • Public disclosure happens
  • Scanners and exploit kits update
  • Mass probing begins within days (sometimes hours)
  • Early intrusions focus on quick wins: admin access, config export, credential capture

The uncomfortable truth: you don’t need to be “targeted” to be hit. You just need to be reachable and unpatched.

Where AI-powered threat detection fits (and where it doesn’t)

AI won’t magically prevent every auth bypass. If a device accepts a crafted SAML assertion as valid, that’s a code and validation failure—patching is non-negotiable.

But AI shines in the window that matters most in real operations: between “first malicious login” and “meaningful damage.”

AI can spot “impossible admin behavior” faster than humans

In the FortiGate activity described, several signals are highly learnable:

  • First-time SSO login for the admin account
  • SSO login from a hosting provider ASN (vs known corporate ranges)
  • Login timing anomalies (e.g., 03:12 local time, holiday week, no corresponding ticket/change)
  • GUI-based config export immediately after login
  • New outbound connections from the management plane to unfamiliar IPs

A human analyst can find these. The problem is scale and time. AI-based anomaly detection can baseline your normal administrative patterns and flag the outliers within minutes.

A strong detection rule is good. A model that learns “what normal looks like for your admins” is better—because attackers change tactics, but they can’t easily mimic your environment’s habits.

AI helps you reduce false positives in authentication monitoring

Authentication logs are noisy. If you alert on every admin login, your team will mute alerts.

An AI-driven approach can score events using multiple dimensions at once:

  • User/account criticality (e.g., admin vs named admin)
  • Source reputation and network distance
  • Historical admin behavior (time, device, geography)
  • Sequence patterns (login → config export → policy edit)
  • Asset context (is the device internet-exposed? is it a crown-jewel firewall?)

This is where “AI in cybersecurity” gets practical: fewer alerts, higher confidence, faster triage.

AI can automate response actions safely—if you set guardrails

Automation should be boring and predictable. For identity and perimeter devices, a safe playbook might:

  1. Temporarily restrict management-plane access to known internal IPs/VPN
  2. Disable FortiCloud SSO (until patched and validated)
  3. Force admin credential rotation and invalidate active sessions
  4. Snapshot device state and export logs for investigation
  5. Open an incident and assign to the on-call responder

AI can decide when to trigger the playbook based on confidence scoring, but the playbook itself should be pre-approved and reversible.

A practical response plan for the next 72 hours

If you manage FortiGate (or any internet-facing security appliance), your response needs two tracks: fix the vulnerability and hunt for evidence of misuse.

1) Patch and verify the admin-plane posture

Do the basics quickly, then confirm you actually did them.

  • Apply the vendor fixes for affected Fortinet products (FortiOS, FortiWeb, FortiProxy, FortiSwitchManager)
  • Confirm FortiCloud SSO status explicitly (don’t assume defaults)
  • Restrict management interfaces to trusted networks only
  • Disable any unnecessary external exposure (temporary reduction is fine)

If you’re in a regulated environment, treat this like an emergency change with documentation after the fact. Waiting for a perfect CAB window is how opportunistic campaigns become incidents.

2) Hunt for the pattern that matters

Based on the reported activity, prioritize these checks:

  • Unexpected SSO logins to the firewall admin plane
  • Successful logins to admin (especially if you normally use named accounts)
  • GUI actions consistent with configuration export
  • New or modified admin accounts, API keys, or trusted host settings
  • Changes to policies that quietly enable persistence (new VIPs, broad allow rules, new VPN users)

3) Assume config theft changes your credential risk

If there’s any sign configs were exported, assume the attacker gained material that can be used later.

Rotate:

  • Admin passwords (and move off shared admin if you can)
  • Local accounts stored on the device
  • Any secrets embedded in configs (SNMP communities, RADIUS shared secrets, LDAP bind credentials)

Also audit for credential reuse. If the firewall admin password shows up anywhere else, treat that as a separate problem to clean up.

How to build an AI-ready detection layer for SSO and admin access

The goal isn’t “buy AI.” The goal is to make authentication and admin actions observable enough that AI (or even advanced rules) can help.

Start with three telemetry sources

You’ll get the most value when you can correlate:

  1. Authentication events (SSO, local login, failed vs successful)
  2. Admin activity logs (GUI exports, policy changes, account changes)
  3. Network telemetry (new outbound connections from management interfaces)

If those logs live in different places and aren’t normalized, AI won’t save you. Centralize first.

The high-signal detections to implement

If you do nothing else, implement these detections around SSO and perimeter devices:

  • Successful admin login from new ASN
  • First-ever SSO login to a firewall
  • Admin login followed by config export within 15 minutes
  • Admin login outside normal maintenance window plus high-risk action
  • Management-plane traffic to unfamiliar IPs immediately after login

AI models can score and rank these alerts, but even rules-based detection becomes dramatically better when you include sequence and context.

“People also ask” (and the direct answers)

Does disabling FortiCloud SSO reduce risk? Yes. In this specific campaign, the bypass is tied to FortiCloud SSO being enabled, so disabling it is a valid mitigation until you patch.

If we patched, are we safe? You’re safer, but patching doesn’t answer whether you were already accessed. You still need to review admin logins and config export events.

Why would attackers export configs instead of dropping malware? Because it’s quiet, fast, and valuable. Configs help attackers return later with better credentials and better knowledge of your network.

What this incident says about AI in cybersecurity going into 2026

This FortiGate SAML bypass wave isn’t special because it’s Fortinet. It’s special because it’s predictable.

  • Identity flows expand into infrastructure.
  • “Optional” features get enabled through operational drift.
  • Public CVEs turn into active exploitation fast.
  • Attackers grab configs and credentials before defenders finish meetings.

AI-powered threat detection doesn’t replace patching, but it does change your odds when the first malicious SSO login happens at 2 a.m. during end-of-year staffing gaps.

If your team wants a concrete next step, make it this: instrument, baseline, and alert on admin authentication and admin actions for perimeter devices. That’s where AI consistently pays for itself—because it reduces time-to-detection and helps your responders focus on the two events that matter, not the 2,000 that don’t.

What would your monitoring say right now if an attacker successfully SSO-logged into your firewall and exported its configuration—would you know in minutes, or next quarter?