~/home/news/fortigate-sso-bypass-re-exploited-2026-01-26
newsSunday, January 25, 20268 min read👁 14 views

FortiGate SSO Bypass Re-exploited: CVE-2026-22755 Shows Patch Adoption Gaps

A new wave of attacks is leveraging CVE-2026-22755 to gain unauthenticated remote code execution on FortiGate firewalls. Despite a December patch, threat actors are bypassing the fix, exposing enterprises, ISPs, and government agencies to full network compromise.

FortinetCVE-2026-22755firewallremote code execution

Overview/Introduction

Fortinet’s FortiGate series has long been a cornerstone of perimeter security for enterprises, service providers, and government networks. In December 2025 the company released a patch for a critical SSO-bypass flaw (originally tracked as CVE-2025-59718). Within weeks, security researchers observed that attackers were still able to compromise devices, effectively turning the patch into a half-measure. The vulnerability has now been assigned a new identifier-CVE-2026-22755-and is being actively exploited in the wild.

This post dives into the technical mechanics of the exploit, the real-world impact on affected organizations, and the steps you need to take right now to protect your network.

Technical Details (CVE, attack vector, exploitation method)

CVE-2026-22755 is a remote code execution (RCE) flaw that resides in FortiGate’s FortiCloud SSO integration. The feature allows administrators to log in to a firewall using a SAML-based identity provider (IdP) instead of local credentials. The vulnerability stems from improper validation of the RelayState and Assertion fields in the SAML response.

  • Unauthenticated entry point: An attacker sends a crafted HTTP POST to the firewall’s /remote/saml/login endpoint. The payload contains a malicious SAML assertion that, when processed, grants the attacker the admin role.
  • Bypass of the December 2025 patch: The original fix attempted to harden the SAML parser but left the underlying XML signature verification unchanged. Attackers have discovered a secondary encoding path-using base64-url encoding combined with XML external entity (XXE) tricks-to slip a malicious payload past the validator.
  • Persistence mechanisms: Once inside, the payload creates a privileged local account (e.g., secadmin, itadmin, or backup) and writes a persistent backdoor script to /etc/rc.d. The script re-establishes a reverse SSH tunnel to a command-and-control (C2) server, ensuring long-term access even after a reboot.
  • Configuration exfiltration: The exploit also runs the show full-configuration CLI command and pipes the output to an outbound HTTPS request, leaking firewall policies, VPN secrets, and routing tables.

All of these steps can be completed in under 30 seconds, making the attack both fast and stealthy.

Impact Analysis (who is affected, how severe)

The affected devices span multiple firmware branches:

  • FortiOS 7.2.x - 7.4.x (including the latest 7.4.3 release)
  • FortiOS 6.4.x (legacy appliances still in production)

Any FortiGate that has the FortiCloud SSO feature enabled-whether by default or through a custom configuration-is at risk. While the feature is not enabled out-of-the-box on most appliances, many large organizations enable it to simplify admin access across distributed sites.

Successful exploitation yields full administrative control, which translates into:

  • Complete network compromise: attackers can modify firewall policies, open outbound tunnels, and pivot to internal assets.
  • Data exfiltration: VPN credentials, internal IP schematics, and even encrypted traffic can be intercepted.
  • Service disruption: malicious policy changes can lead to denial-of-service conditions for critical business applications.
  • Regulatory fallout: for sectors like finance, healthcare, and government, a breach of this magnitude can trigger heavy fines under GDPR, HIPAA, or NIST-based frameworks.

Given the breadth of potential damage, the vulnerability is classified as critical.

Timeline of Events

  • 22 Oct 2025 - Initial SSO bypass (CVE-2025-59718) reported by independent researchers.
  • 02 Dec 2025 - Fortinet releases a security advisory and patches the SAML parsing logic in FortiOS 7.2.5, 7.4.2, and 6.4.9.
  • 15 Jan 2026 - Arctic Wolf observes threat actors bypassing the December patch, creating admin accounts and exfiltrating configs.
  • 20 Jan 2026 - Fortinet confirms privately to customers that the vulnerability persists and assigns a new CVE identifier (CVE-2026-22755).
  • 22 Jan 2026 - Public disclosure via SpecterOps/Risky Business newsletter; Twitter thread from @craiu highlights ongoing attacks.
  • 24 Jan 2026** - Early adopters begin disabling SSO and applying supplemental hardening scripts.

Mitigation/Recommendations

While Fortinet is working on a definitive fix, organizations can dramatically reduce risk by implementing the following steps immediately:

  1. Disable FortiCloud SSO: The quickest mitigation is to turn off the SSO feature via the CLI:
    config system global set sso enable disable
end
    This eliminates the attack surface altogether.
  2. Apply the latest firmware: Fortinet released interim patches on 28 Jan 2026 (FortiOS 7.4.4, 7.2.6, 6.4.10). Deploy these builds across all firewalls, even if SSO is disabled.
  3. Enforce strong local admin credentials: Ensure that any built-in admin account uses a complex password and enable two-factor authentication (2FA) where possible.
  4. Audit for rogue accounts: Run the following command to list all local users and identify any that were not provisioned by your team:
    show user local
  5. Monitor SAML traffic: Deploy a network sensor or IDS rule that alerts on unexpected POST requests to /remote/saml/login from non-trusted IP ranges.
  6. Configuration backup integrity: Store encrypted backups of firewall configs offline. Verify that backup files have not been altered after the patch window.
  7. Segment management plane: Place firewall management interfaces on a dedicated VLAN with strict ACLs, limiting exposure to the internet.

Organizations that cannot immediately disable SSO should consider a temporary “allow-list” of trusted IdPs and enforce strict SAML signing algorithms (e.g., RSA-SHA256) to reduce the attack surface.

Real-World Impact (how this affects organizations/individuals)

Consider a multinational ISP that uses FortiGate devices at each edge location. An attacker who gains admin access on a single edge firewall can:

  • Redirect customer traffic through a malicious proxy, injecting ransomware or ad-ware.
  • Harvest subscriber credentials from the ISP’s authentication portal.
  • Launch lateral attacks against internal DNS or BGP infrastructure, potentially causing wide-scale internet outages.

For a government agency, the same breach could expose classified network diagrams, enable espionage-grade data exfiltration, and undermine public trust. The speed of the exploit-often under a minute-means that even well-prepared SOCs may miss the initial foothold, only noticing the aftermath during a routine config audit.

Expert Opinion

From a strategic perspective, CVE-2026-22755 is a textbook example of how “quick-fix” patches can create a false sense of security. Fortinet’s December release addressed the most obvious validation error but left the underlying XML signature verification untouched. Threat actors, as we have seen, are adept at finding the next weak link.

What this incident teaches the industry is threefold:

  1. Patch adoption matters more than patch content: Even a perfect patch is useless if organizations delay deployment. The lag in applying the December fix gave attackers a window to develop a secondary exploit.
  2. Feature minimisation is a powerful defense: The SSO integration was never required for many deployments. Disabling non-essential services reduces the attack surface dramatically.
  3. Continuous verification is essential: After any major vendor patch, security teams must validate that the vulnerability is truly mitigated-preferably through automated regression testing and red-team verification.

Looking ahead, I expect Fortinet to issue a comprehensive “hardening bundle” that not only fixes the SAML parser but also adds stricter defaults for SSO, mandatory signature validation, and built-in detection of anomalous SAML payloads. Until then, organizations should treat CVE-2026-22755 as a critical, actively exploited RCE vector and act accordingly.