{"id":55241,"date":"2026-02-05T10:58:27","date_gmt":"2026-02-05T15:58:27","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=55241"},"modified":"2026-02-05T10:58:27","modified_gmt":"2026-02-05T15:58:27","slug":"forticloud-authentication-siem-rules","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/forticloud-authentication-siem-rules\/55241\/","title":{"rendered":"How to detect FortiCloud SSO authentication bypass"},"content":{"rendered":"<p>Over the past two months researchers have reported three vulnerabilities that can be exploited to bypass authentication in Fortinet products using the FortiCloud SSO mechanism. The first two \u2013 <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-59718\" target=\"_blank\" rel=\"noopener nofollow\">CVE-2025-59718<\/a> and <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-59719\" target=\"_blank\" rel=\"noopener nofollow\">CVE-2025-59719<\/a> \u2013 were found by the company\u2019s experts during a code audit (although CVE-2025-59718 has already made it into <a href=\"https:\/\/www.cisa.gov\/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59718\" target=\"_blank\" rel=\"noopener nofollow\">CISA\u2019s Known Exploited Vulnerabilities Catalog<\/a>), while the third \u2013 <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2026-24858\" target=\"_blank\" rel=\"noopener nofollow\">CVE-2026-24858<\/a> \u2013 was identified directly <a href=\"https:\/\/www.fortinet.com\/blog\/psirt-blogs\/analysis-of-sso-abuse-on-fortios\" target=\"_blank\" rel=\"noopener nofollow\">during an investigation<\/a> of unauthorized activity on devices. These vulnerabilities allow attackers with a FortiCloud account to log into various companies\u2019 FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb accounts if the SSO feature is enabled on the given device.<\/p>\n<p>To protect companies that use both our Kaspersky Unified Monitoring and Analysis Platform and Fortinet devices, we\u2019ve created a set of correlation rules that help detect this malicious activity. The rules are already available for customers to download from Kaspersky SIEM repository; the package name is: <strong>[OOTB] FortiCloud SSO abuse package \u2013 ENG<\/strong>.<\/p>\n<h2>Contents of the FortiCloud SSO abuse package<\/h2>\n<p>The package includes three groups of rules. They\u2019re used to monitor the following:<\/p>\n<ul>\n<li>Indicators of compromise: source IP addresses, usernames, creation of a new account with specific names;<\/li>\n<li>critical administrator actions, such as logging in from a new IP address, creating a new account, logging in via SSO, logging in from a public IP address, exporting device configuration;<\/li>\n<li>suspicious activity: configuration export or account creation immediately after a suspicious login.<\/li>\n<\/ul>\n<p>Rules marked \u201c(info)\u201d may potentially generate false positives, as events critical for monitoring authentication bypass attempts may be entirely legitimate. To reduce false positives, add IP addresses or accounts associated with legitimate administrative activity to the exceptions.<\/p>\n<p>As new attack reports emerge, we plan to supplement the rules marked with \u201cIOC\u201d with new information.<\/p>\n<h2>Additional recommendations<\/h2>\n<p>We also recommend using rules from the FortiCloud SSO abuse package for retrospective analysis or threat hunting. Recommended analysis period: starting from December 2025.<\/p>\n<p>For the detection rules to work correctly, you need to ensure that events from Fortinet devices are received in full and normalized correctly. We also recommend configuring data in the \u201cExtra\u201d field when normalizing events, as this field contains additional information that may need investigating.<\/p>\n<p>Learn more about our Kaspersky Unified Monitoring and Analysis Platform at <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/unified-monitoring-and-analysis-platform?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____\" target=\"_blank\" rel=\"noopener nofollow\">on the official solution page<\/a>.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"mdr\"><input type=\"hidden\" class=\"placeholder_for_banner\" data-cat_id=\"mdr\" value=\"51264\">\n","protected":false},"excerpt":{"rendered":"<p>Kaspersky SIEM got a set of correlation rules for detecting attempts to exploit vulnerabilities for authentication bypass in Fortinet products.<\/p>\n","protected":false},"author":2741,"featured_media":55243,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3051],"tags":[4699,2464,4532,268],"class_list":{"0":"post-55241","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-correlation-rules","10":"tag-siem","11":"tag-sso","12":"tag-vulnerabilities"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/forticloud-authentication-siem-rules\/55241\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/forticloud-authentication-siem-rules\/30149\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/forticloud-authentication-siem-rules\/25210\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/forticloud-authentication-siem-rules\/30025\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/forticloud-authentication-siem-rules\/41258\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/forticloud-authentication-siem-rules\/30241\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/forticloud-authentication-siem-rules\/35909\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/forticloud-authentication-siem-rules\/35564\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/siem\/","name":"SIEM"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/55241","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2741"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=55241"}],"version-history":[{"count":4,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/55241\/revisions"}],"predecessor-version":[{"id":55246,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/55241\/revisions\/55246"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/55243"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=55241"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=55241"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=55241"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}