Fortinet has confirmed that a new attack campaign observed recently against customer devices is exploiting an unpatched issue to bypass authentication. The new attacks are different from a previous campaign seen in December that targeted two vulnerabilities related to FortiCloud single sign-on (SSO) authentication.
“Recently, a small number of customers reported unexpected login activity occurring on their devices, which appeared very similar to the previous issue,” the Fortinet product security team said in a blog post. “However, in the last 24 hours, we have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path.”
Fortinet is currently working on fixing the new issue, which impacts not only FortiCloud SSO, but all SAML SSO implementations. It’s worth noting that FortiCloud SSO is not enabled by default on devices but can become enabled when an administrator registers the device with FortiCare product support from the device’s management interface.
