Fortinet Confirms Active FortiCloud SSO Bypass on Fully Patched FortiGate Firewalls
Estimated Reading Time: 7 minutes
Key Takeaways:
- FortiCloud SSO bypass allows administrative access to fully patched FortiGate firewalls via crafted SAML messages.
- Cisco has disclosed a critical RCE zero-day (CVE-2026-20045) impacting over 30 million UCM users.
- Malicious VSCode extensions are exfiltrating developer source code and cloud credentials to external servers.
- The ShinyHunters group is utilizing real-time vishing kits to bypass MFA for major SSO providers.
Table of Contents:
- Analysis of the Fortinet FortiCloud SSO Bypass and Concurrent Infrastructure Vulnerabilities
- Technical Mechanics of the Fortinet SSO Bypass
- Cisco Unified Communications Zero-Day (CVE-2026-20045)
- Supply-Chain Risks in Developer Environments: MaliciousCorgi
- Vishing and SSO Extortion: ShinyHunters Campaign
- Technical Response Actions and Mitigations
- Data Security and Intelligence Integration
- Frequently Asked Questions
Analysis of the Fortinet FortiCloud SSO Bypass and Concurrent Infrastructure Vulnerabilities
On January 23, 2026, Fortinet confirmed that a new attack path allows threat actors to bypass Single Sign-On (SSO) authentication on FortiGate firewalls that have already been updated to the latest security releases. This incident indicates that the initial patches for CVE-2025-59718 and CVE-2025-59719 are insufficient to prevent unauthenticated access when the FortiCloud SSO feature is active. An integrated cyber threat intelligence platform is required to track these rapid shifts in vendor-specific vulnerabilities as they transition from patched states back to active exploitation.
The current threat environment is characterized by the failure of established patches and the exploitation of administrative interfaces across multiple enterprise vendors. Fortinet CISO Carl Windsor reported that within a 24-hour period, multiple cases were identified where firewalls, despite being fully upgraded, were compromised via crafted SAML messages. This specific bypass targets the FortiCloud SSO authentication flow, allowing unauthenticated actors to assume administrative control.
Technical Mechanics of the Fortinet SSO Bypass
The exploitation involves the manipulation of Security Assertion Markup Language (SAML) messages. Although Fortinet released patches in December 2025 to address CVE-2025-59718 and CVE-2025-59719, the newly identified activity suggests a secondary vector within the same feature set.
Observed post-compromise activity includes:
- Account Persistence: The creation of generic administrative accounts, specifically “cloud-noc@mail.io” and “cloud-init@mail.io.”
- Configuration Modification: Unauthorized changes to firewall settings to grant VPN access to these newly created accounts.
- Data Exfiltration: Firewall configuration files are being exfiltrated to external IP addresses, potentially exposing network topology and internal routing logic.
While the primary observation focuses on FortiCloud SSO, the underlying vulnerability affects all SAML SSO implementations on the platform. Technical teams must recognize that this is not a failure of the patch itself to close the original hole, but the discovery of an adjacent attack path within the same authentication logic.
Cisco Unified Communications Zero-Day (CVE-2026-20045)
Concurrent with the Fortinet activity, Cisco disclosed a critical remote code execution (RCE) vulnerability in its Unified Communications Manager (UCM) and related products. Tracked as CVE-2026-20045, this flaw originates from improper validation of user-supplied input in HTTP requests sent to the web-based management interface.
With a user base of approximately 30 million, the impact of this zero-day is extensive. If an attacker sends a sequence of crafted HTTP requests, they can obtain user-level access to the underlying operating system and subsequently escalate privileges to root. The Cisco Product Security Incident Response Team (PSIRT) and CISA have confirmed active exploitation. Reports from real-time ransomware intelligence sources indicate mass scanning for exposed UCM interfaces.
The vulnerability impacts:
- Unified Communications Manager (UCM)
- UCM Session Management Edition (SME)
- UCM IM & Presence Service (UCM IM&P)
- Unity Connection
- Webex Calling Dedicated Instance
Supply-Chain Risks in Developer Environments: MaliciousCorgi
The “MaliciousCorgi” campaign has successfully introduced spyware into the VSCode Marketplace, targeting developers through AI-based coding assistants. Two extensions, “ChatGPT – 中文版” (1.34 million installs) and “ChatMoss” (150k installs), were found to exfiltrate sensitive data to servers based in China. This highlights the necessity for supply-chain risk monitoring when integrating third-party tools into the software development lifecycle (SDLC).
These extensions utilize three primary exfiltration methods:
- Real-Time File Monitoring: Every file opened in the VSCode editor is encoded in Base64 and sent to a hidden tracking iframe. This includes source code, configuration files, and environment variables.
- Workspace Harvesting: A server-side command allows the extension to stealthily transmit up to 50 files from the victim’s workspace at a time.
- User Profiling: The use of zero-pixel iframes to load commercial analytics SDKs for device fingerprinting and identity profiling.
Organizations utilizing these extensions are at risk of losing cloud service credentials, API keys, and proprietary logic. Breach detection in these cases is difficult because the extensions provide the promised AI functionality while performing background exfiltration.
Vishing and SSO Extortion: ShinyHunters Campaign
The ShinyHunters extortion group has claimed responsibility for a series of voice phishing (vishing) attacks targeting SSO accounts at Okta, Microsoft Entra, and Google. This campaign uses social engineering to bypass Multi-Factor Authentication (MFA) in real time. Attackers call employees, posing as IT staff, and direct them to a phishing page.
ShinyHunters stated that Salesforce is their primary target, though they also target other SaaS platforms connected via SSO, such as Slack, Jira, and SAP. This underscores the risk of SSO as a single point of failure.
Underground forum intelligence suggests that the group is actively seeking access to corporate networks to exfiltrate documents for extortion, as seen in recent incidents involving SoundCloud, Betterment, and Crunchbase.
Technical Response Actions and Mitigations
For the Fortinet FortiCloud SSO bypass, the following technical actions are required:
- Access Restriction: Implement a local-in policy to restrict administrative access to edge network devices from the internet.
- Feature Disablement: Disable FortiCloud SSO logins by executing the command to disable “admin-forticloud-sso-login.”
- Log Auditing: Review system logs for the creation of “cloud-noc” or “cloud-init” accounts.
For the Cisco UCM vulnerability (CVE-2026-20045):
- Patch Deployment: Immediately update all Unified Communications products to the versions specified in the Cisco advisory.
- Interface Isolation: Ensure that web-based management interfaces are not accessible from the public internet.
Regarding the VSCode extensions:
- Extension Audit: Remove “ChatGPT – 中文版” (publisher: WhenSunset) and “ChatMoss/CodeMoss” (publisher: zhukunpeng).
- Credential Rotation: Rotate all API keys, cloud credentials, and passwords that were stored in source code.
Data Security and Intelligence Integration
The convergence of vendor-specific zero-days and sophisticated social engineering requires an integrated approach to security. Dark web monitoring service capabilities are necessary to identify if corporate credentials stolen via vishing or malicious extensions are being traded on the underground. Furthermore, telegram threat monitoring provides insights into the operational shifts of groups like ShinyHunters.
PurpleOps provides the infrastructure and expertise to address these multidimensional threats through the following service areas:
- Cyber Threat Intelligence: Detailed analysis of active exploits. Learn more at PurpleOps Cyber Threat Intelligence.
- Supply Chain Security: Analyzing third-party integrations and developer tools. Review our Supply Chain Information Security services.
- Dark Web and Brand Protection: Monitoring underground forums for leaked configurations. Explore our Dark Web Monitoring solutions.
- Penetration Testing and Red Teaming: Simulating tactics to identify SSO weaknesses. Detailed information is available at PurpleOps Penetration Testing and Red Team Operations.
- Ransomware Protection: Integrating live ransomware API data to detect early attack stages. See our Ransomware Protection strategies.
To evaluate your organization’s resilience against these specific threats, explore the PurpleOps Platform or review our comprehensive Services.
Frequently Asked Questions
What is the primary risk associated with the Fortinet SSO bypass?
The primary risk is unauthenticated administrative access to the firewall, even on fully patched devices. Attackers can create persistent accounts, modify VPN settings, and exfiltrate network configuration files.
How widespread is the Cisco UCM zero-day (CVE-2026-20045)?
The vulnerability impacts approximately 30 million users globally. It allows for remote code execution and privilege escalation to root, providing a major pivot point for internal network attacks.
Which VSCode extensions are identified as MaliciousCorgi spyware?
The confirmed malicious extensions are “ChatGPT – 中文版” (publisher: WhenSunset) and “ChatMoss/CodeMoss” (publisher: zhukunpeng). These should be removed immediately.
How does ShinyHunters bypass Multi-Factor Authentication?
The group uses real-time vishing and synchronized phishing kits. They trick victims into providing MFA codes or approving push notifications while the attacker simultaneously logs into the legitimate SSO portal.
