CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical Fortinet Vulnerabilities: FortiCloud SSO Bypass and FortiClientEMS SQLi Patched

First reported
Last updated
3 unique sources, 15 articles

Summary

Hide ▲

Fortinet’s **critical SQL injection vulnerability (CVE-2026-21643, CVSS 9.1)** in FortiClientEMS is now being actively exploited in attacks, according to threat intelligence reports. The flaw allows unauthenticated attackers to execute arbitrary code via crafted HTTP requests targeting the 'Site' header in the web interface. Nearly **1,000 exposed FortiClient EMS instances** remain vulnerable online, with the majority located in the U.S. and Europe. This follows Fortinet’s recent emergency patches for **CVE-2026-24858**, a critical FortiCloud SSO authentication bypass (CVSS 9.4) that was exploited to create admin accounts, modify firewall configurations, and exfiltrate data from over 25,000 exposed devices. CISA has mandated patches for federal agencies, but CVE-2026-21643 remains unlisted in its KEV catalog despite confirmed exploitation. The vulnerabilities stem from improper input validation—SQL injection in FortiClientEMS and authentication bypass in FortiCloud SSO—and have been linked to automated attacks since January 2026. Fortinet advises disabling FortiCloud SSO until patches are applied, restricting management interface access, and treating compromised systems as fully breached, requiring credential rotation and configuration restoration from clean backups. Patches for CVE-2026-24858 are available in **FortiOS 7.4.11**, **FortiManager 7.4.10**, and **FortiAnalyzer 7.4.10**, while CVE-2026-21643 is fixed in **FortiClientEMS 7.4.5** (versions 7.2 and 8.0 are unaffected).

Timeline

  1. 10.02.2026 06:38 2 articles · 1mo ago

    Fortinet patches critical unauthenticated SQLi in FortiClientEMS

    Fortinet has addressed a **critical SQL injection vulnerability (CVE-2026-21643, CVSS 9.1)** in FortiClientEMS that allows unauthenticated attackers to execute arbitrary code via crafted HTTP requests. The flaw impacts **FortiClientEMS 7.4.4** (fixed in 7.4.5) but does not affect versions 7.2 or 8.0. Discovered by Fortinet’s Gwendal Guégniaud, the vulnerability is now confirmed to be **actively exploited in the wild**, with attackers smuggling SQL statements through the 'Site' header in HTTP requests. Threat intelligence reports indicate exploitation began at least four days prior to March 30, 2026. Nearly **1,000 FortiClient EMS instances** remain publicly exposed, primarily in the U.S. and Europe, according to Shodan and Shadowserver. While Fortinet has not yet updated its advisory to flag the flaw as exploited, the vulnerability poses immediate risk of remote code execution (RCE) attacks. This follows Fortinet’s recent fixes for **CVE-2026-24858**, the actively exploited FortiCloud SSO bypass flaw, and mirrors past incidents where similar FortiClient EMS SQLi vulnerabilities were leveraged in ransomware and state-sponsored campaigns.

    Show sources
    Open in new tab
  2. 28.01.2026 10:05 2 articles · 2mo ago

    Fortinet releases patches for CVE-2026-24858

    Fortinet has released emergency patches for **CVE-2026-24858**, a critical FortiCloud SSO authentication bypass vulnerability (CVSS 9.4) actively exploited in the wild. The flaw allows attackers with a FortiCloud account and a registered device to log into other customers’ devices if FortiCloud SSO is enabled, even on fully patched systems. Exploitation has been linked to automated attacks creating admin accounts (e.g., 'audit', 'backupadmin'), granting VPN access, and exfiltrating firewall configurations via malicious accounts like '[email protected]' and '[email protected]'. Patches are now available in **FortiOS 7.4.11**, **FortiManager 7.4.10**, and **FortiAnalyzer 7.4.10**, with additional fixes planned for older versions (e.g., FortiOS 7.2.13, 7.0.19). Fortinet briefly disabled FortiCloud SSO globally (January 26–27, 2026) to mitigate attacks, restricting access to patched devices only. The U.S. CISA added CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to remediate by **January 30, 2026**. Customers detecting indicators of compromise (IoCs) are advised to treat devices as fully breached, rotate credentials, and restore configurations from clean backups.

    Show sources
    Open in new tab
  3. 28.01.2026 01:19 3 articles · 2mo ago

    Fortinet confirms new critical FortiCloud SSO authentication bypass vulnerability CVE-2026-24858

    Fortinet has confirmed a new, actively exploited critical FortiCloud SSO authentication bypass vulnerability, tracked as CVE-2026-24858. The flaw allows attackers to gain administrative access to FortiOS, FortiManager, and FortiAnalyzer devices registered to other customers, even when those devices were fully patched against a previously disclosed vulnerability. Fortinet has mitigated the zero-day attacks by blocking FortiCloud SSO connections from devices running vulnerable firmware versions. Fortinet confirmed that attackers were exploiting an alternate authentication path that remained even on fully patched systems. Fortinet disabled FortiCloud accounts being abused by attackers on January 22 and disabled FortiCloud SSO globally on January 26. Fortinet restored FortiCloud SSO access on January 27 but restricted it so that devices running vulnerable firmware can no longer authenticate via SSO. The vulnerability is "Authentication Bypass Using an Alternate Path or Channel," caused by improper access control in FortiCloud SSO. Attackers with a FortiCloud account and a registered device could authenticate to other customers' devices if FortiCloud SSO was enabled. Fortinet confirmed the vulnerability was exploited in the wild by the malicious FortiCloud SSO accounts '[email protected]' and '[email protected]'. Once a device was breached, attackers would download customer config files and create one of the following admin accounts: audit, backup, itadmin, secadmin, support, backupadmin, deploy, remoteadmin, security, svcadmin, system. Connections were made from the following IP addresses: 104.28.244.115, 104.28.212.114, 104.28.212.115, 104.28.195.105, 104.28.195.106, 104.28.227.106, 104.28.227.105, 104.28.244.114, 37.1.209.19, 217.119.139.50. Fortinet is still investigating whether FortiWeb and FortiSwitch Manager are affected by the flaw. Customers who detect indicators of compromise in their logs should treat their devices as fully compromised, review all administrator accounts, restore configurations from known-clean backups, and rotate all credentials.

    Show sources
    Open in new tab
  4. 22.01.2026 07:55 8 articles · 2mo ago

    New automated attacks alter firewall configurations on FortiGate devices

    A new cluster of automated malicious activity began on January 15, 2026, involving unauthorized firewall configuration changes on FortiGate devices. The activity includes the creation of generic accounts for persistence, configuration changes granting VPN access, and exfiltration of firewall configurations. Malicious SSO logins were carried out against a malicious account '[email protected]' from four different IP addresses: 104.28.244.115, 104.28.212.114, 217.119.139.50, and 37.1.209.19. Threat actors created secondary accounts such as 'secadmin', 'itadmin', 'support', 'backup', 'remoteadmin', and 'audit' for persistence. All events took place within seconds of each other, indicating the possibility of automated activity. Arctic Wolf reported that the campaign started on January 15, 2026, with attackers exploiting an unknown vulnerability in the SSO feature to create accounts with VPN access and exporting firewall configurations within seconds, indicating automated activity. Arctic Wolf noted that the current campaign bears similarity to incidents documented in December following the disclosure of CVE-2025-59718. The attacks originated from a small number of hosting providers and typically targeted the [email protected] account. Within seconds after login, the attackers exported device configurations, likely through automation. It is unclear whether the activity is fully covered by the patch that initially addressed CVE-2025-59718 and CVE-2025-59719. The recent exploitation activity involves the creation of generic accounts for persistence, making configuration changes to grant VPN access, and exfiltrating firewall configurations. The threat actors have been observed logging in with accounts named '[email protected]' and '[email protected]'.

    Show sources
    Open in new tab
  5. 19.12.2025 17:00 6 articles · 3mo ago

    Over 25,000 Fortinet devices exposed to FortiCloud SSO attacks

    Over 25,000 Fortinet devices with FortiCloud SSO enabled are exposed online, with more than 5,400 in the United States and nearly 2,000 in India. Shadowserver and Macnica threat researcher Yutaka Sejiyama have identified these devices, highlighting the widespread exposure. CISA has added the vulnerability to its catalog of actively exploited vulnerabilities, mandating U.S. government agencies to patch by December 23rd. Internet security watchdog Shadowserver is currently tracking nearly 11,000 Fortinet devices that are exposed online and have FortiCloud SSO enabled.

    Show sources
    Open in new tab
  6. 16.12.2025 12:58 12 articles · 3mo ago

    Active exploitation of FortiCloud SSO authentication bypass vulnerabilities

    Threat actors have begun exploiting CVE-2025-59718 and CVE-2025-59719 in active attacks on FortiGate devices. Attackers used IP addresses associated with hosting providers like The Constant Company llc, Bl Networks, and Kaopu Cloud Hk Limited to carry out malicious SSO logins and export device configurations. Attackers targeted admin accounts, accessed the web management interface, and downloaded system configuration files, which can expose network layouts, internet-facing services, firewall policies, potentially vulnerable interfaces, routing tables, and hashed passwords. Recent reports indicate that attackers have exploited the vulnerability via maliciously crafted SAML messages to compromise admin accounts, creating new admin users such as 'helpdesk'. The IP address 104.28.244.114 has been used in recent exploitation attempts. A new cluster of automated malicious activity began on January 15, 2026, involving unauthorized firewall configuration changes on FortiGate devices. The activity includes the creation of generic accounts for persistence, configuration changes granting VPN access, and exfiltration of firewall configurations. Malicious SSO logins were carried out against a malicious account '[email protected]' from four different IP addresses: 104.28.244.115, 104.28.212.114, 217.119.139.50, and 37.1.209.19. Threat actors created secondary accounts such as 'secadmin', 'itadmin', 'support', 'backup', 'remoteadmin', and 'audit' for persistence. All events took place within seconds of each other, indicating the possibility of automated activity. Arctic Wolf reported that the campaign started on January 15, 2026, with attackers exploiting an unknown vulnerability in the SSO feature to create accounts with VPN access and exporting firewall configurations within seconds, indicating automated activity. Arctic Wolf noted that the current campaign bears similarity to incidents documented in December following the disclosure of CVE-2025-59718. Affected Fortinet customers shared logs showing that the attackers created admin users after an SSO login from [email protected] on IP address 104.28.244.114, which matches indicators of compromise detected by Arctic Wolf. The recent exploitation activity involves the creation of generic accounts for persistence, making configuration changes to grant VPN access, and exfiltrating firewall configurations. The threat actors have been observed logging in with accounts named '[email protected]' and '[email protected]'.

    Show sources
    Open in new tab
  7. 09.12.2025 20:36 12 articles · 3mo ago

    Fortinet patches critical FortiCloud SSO authentication bypass vulnerabilities

    Fortinet has released updates to address two critical vulnerabilities (CVE-2025-59718 and CVE-2025-59719) in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager that allow attackers to bypass FortiCloud SSO authentication via maliciously crafted SAML messages. The vulnerabilities stem from improper verification of cryptographic signatures. The FortiCloud SSO login feature is not enabled by default but is activated upon FortiCare registration unless explicitly disabled by the administrator. However, FortiOS version 7.4.10 does not fully address the authentication bypass vulnerability, and Fortinet is planning to release FortiOS 7.4.11, 7.6.6, and 8.0.0 to fully patch the security flaw. Multiple users reported seeing malicious SSO logins on fully-patched FortiOS devices, with the Fortinet developer team confirming the vulnerability persists in version 7.4.10. Affected admins reported that Fortinet confirmed the latest FortiOS version (7.4.10) does not fully address the authentication bypass flaw, which should have been patched since early December with the release of FortiOS 7.4.9. Fortinet is planning to release FortiOS 7.4.11, 7.6.6, and 8.0.0 over the coming days to fully address the CVE-2025-59718 security flaw. Fortinet's CISO Carl Windsor confirmed that the ongoing attacks match December's malicious activity and that the issue is applicable to all SAML SSO implementations. Fortinet advised customers to restrict administrative access to their edge network devices via the Internet by applying a local-in policy that limits the IP addresses that can access the devices' administrative interfaces. Fortinet recommended disabling the FortiCloud SSO feature on their devices by toggling off the "Allow administrative login using FortiCloud SSO" option. Affected customers are advised to treat the system and configuration as compromised, rotate credentials, and restore their configuration with a known clean version if IOCs are detected. Fortinet has confirmed that the FortiCloud SSO authentication bypass vulnerability is still being actively exploited on fully-patched FortiGate firewalls. The recent exploitation activity involves the creation of generic accounts for persistence, making configuration changes to grant VPN access, and exfiltrating firewall configurations. The threat actors have been observed logging in with accounts named '[email protected]' and '[email protected]'. Fortinet has advised restricting administrative access to edge network devices via the internet by applying a local-in policy and disabling FortiCloud SSO logins by disabling the 'admin-forticloud-sso-login' option.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Active exploitation of F5 BIG-IP RCE vulnerability CVE-2025-53521

Threat actors are actively exploiting CVE-2025-53521, a critical RCE vulnerability in F5 BIG-IP APM systems, to deploy webshells and other malware on unpatched devices. The flaw was reclassified from a DoS to RCE (CVSS 9.8) in March 2026 following new exploitation activity, affecting versions 17.5.0–17.5.1, 17.1.0–17.1.2, 16.1.0–16.1.6, and 15.1.0–15.1.10. Exploitation occurs via malicious traffic targeting virtual servers with BIG-IP AMP configured or systems in appliance mode, with attackers deploying webshells and other payloads. Fixed versions (17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8) address the RCE. CISA added the flaw to its KEV catalog on March 28, 2026, mandating federal remediation within three days, and threat actors have weaponized it to install webshells. Shadowserver tracks over 240,000 exposed BIG-IP instances, though the scope of vulnerable configurations remains unclear. Fortinet has published IOCs for malicious activity, including rogue files and log anomalies. Separately, exploitation of CVE-2026-21643, a critical SQL injection flaw in FortiClient EMS, has been observed in the wild, with nearly 1000 exposed instances detected. This flaw, disclosed and patched in February 2026, could grant attackers RCE capabilities, though it has not yet been added to CISA’s KEV catalog.

Open in new tab

Fortinet Firewalls Exploited via Incompletely Patched Flaws

Fortinet confirmed ongoing exploitation of an improperly patched vulnerability in FortiCloud SSO authentication, affecting fully updated firewalls. The flaw, related to CVE-2025-59718 and CVE-2025-59719, allows unauthenticated bypass of SSO login via crafted SAML messages. Fortinet advises disabling FortiCloud SSO and restricting administrative access as mitigations. The vulnerability highlights the risks of incomplete patches and the evolving tactics of attackers targeting trusted network security tools.

Open in new tab

Critical Fortinet FortiSIEM Flaw Exploited in the Wild

A critical vulnerability in Fortinet FortiSIEM (CVE-2025-64155, CVSS 9.4) is under active exploitation. The flaw allows unauthenticated attackers to execute arbitrary code or commands via crafted TCP requests. The vulnerability comprises two issues: an unauthenticated argument injection leading to arbitrary file write and remote code execution as the admin user, and a file overwrite privilege escalation leading to root access. The affected phMonitor service is deeply embedded in FortiSIEM's operational workflow, making successful exploitation grant full control of the appliance. This vulnerability poses a significant risk to organizations using FortiSIEM, as it can lead to complete compromise of the appliance. Fortinet users are advised to apply patches and monitor their systems for any signs of exploitation.

Open in new tab

Active Exploitation of FortiOS SSL VPN 2FA Bypass Vulnerability (CVE-2020-12812)

Fortinet has reported active exploitation of a five-year-old vulnerability (CVE-2020-12812) in FortiOS SSL VPN, which allows attackers to bypass two-factor authentication (2FA) under specific configurations. The flaw, affecting certain setups with local and remote authentication methods, has been observed in the wild by multiple threat actors, including state-backed hackers. Fortinet has issued an advisory detailing the prerequisites for exploitation and recommended mitigations. The FBI and CISA have also warned about the exploitation of this vulnerability in ransomware attacks.

Open in new tab

Active Exploitation of Critical WatchGuard Fireware OS VPN Vulnerability (CVE-2025-14733)

WatchGuard has released patches for a critical out-of-bounds write vulnerability (CVE-2025-14733, CVSS 9.3) in Fireware OS, which is being actively exploited in the wild. The flaw affects the iked process and could allow remote unauthenticated attackers to execute arbitrary code. The vulnerability impacts various versions of Fireware OS, including 2025.1, 12.x, 12.5.x, and 12.3.1, while versions 11.x are end-of-life. WatchGuard has observed active exploitation attempts from several IP addresses, some of which are linked to recent Fortinet vulnerabilities. The company has provided indicators of compromise (IoCs) and temporary mitigation steps for affected devices.

Open in new tab