[OOTB] FortiCloud SSO abuse package - ENG
<html lang="en">
<body>
  
	<p>
	In December 2026, two vulnerabilities (CVE-2025-59718 and CVE-2025-59719) were discovered in FortiCloud single sign-on (SSO) that allow an attacker to bypass the authentication mechanism. These vulnerabilities enable an attacker to authenticate via SSO using a specially crafted SAML packet sent to FortiOS, FortiWeb, FortiProxy, or FortiSwitch Manager. It works in case SSO feature is enabled on the device. Additionally, in January 2026 there was discovered one more vulnerability CVE-2026-24858 that allows to gain an access to FortiOS, FortiManager, FortiAnalyzer, FortiProxy и FortiWeb using FortiCloud accounts.<br>
	In response to this attack, we have developed a set of detection rules to help identify potential exploitation attempts and take proactive measures to protect systems.<br>
	This package contains rules that can be categorized into three groups:
	<ul>
		<li>IOC monitoring:</li>
			<ul>
				<li>Source IP address</li>
				<li>Username</li>
				<li>Creation of a new account with a specific name</li>
			</ul>
		<li>Critical administrator activity:</li>
			<ul>
				<li>Login from a new IP address</li>
				<li>Creation of a new administrator account</li>
				<li>Login via SSO</li>
				<li>Login from a public IP address</li>
				<li>Export of system configuration</li>
			</ul>
		<li>Suspicious Activity:</li>
			<li>Export of configuration or creation of an account immediately after a suspicious login</li>
	</ul>
	<br>
	<b>Important Notes:</b><br>
	Rules marked with "info" may generate false positives, as the actions are legitimate but critical to monitor for this attack. To reduce false positives, exceptions should be added for legitimate administrative activity, such as IP addresses or accounts.<br>
	Rules marked with IOC (Indicators of Compromise) may be updated with new information as new attack reports become available.<br>
	Additionally, these set of rules should also be used for retrospective analysis (Threat Hunting), with a recommended analysis period starting from December 2025.<br>
	<br>
	<b>Requirements</b><br>
	To ensure the correct functioning of detection rules, it is essential to:
	<ul>
		<li>Verify that all necessary events from Fortinet devices are being received and correctly normalized.</li>
		<li>Ensure that the option "keep extra fields" is enabled, as it contains additional information necessary for investigation.</li>
	</ul>
	</p>

</body>
</html>