{"ID":"76c7d8f8-c1b4-cced-4769-2fd4d9c3f3bc","Version":1,"CreatedAt":1770281516239,"Description":"[OOTB] FortiCloud SSO abuse package - ENG\n\u003chtml lang=\"en\"\u003e\n\u003cbody\u003e\n  \n\t\u003cp\u003e\n\tIn December 2026, two vulnerabilities (CVE-2025-59718 and CVE-2025-59719) were discovered in FortiCloud single sign-on (SSO) that allow an attacker to bypass the authentication mechanism. These vulnerabilities enable an attacker to authenticate via SSO using a specially crafted SAML packet sent to FortiOS, FortiWeb, FortiProxy, or FortiSwitch Manager. It works in case SSO feature is enabled on the device. Additionally, in January 2026 there was discovered one more vulnerability CVE-2026-24858 that allows to gain an access to FortiOS, FortiManager, FortiAnalyzer, FortiProxy и FortiWeb using FortiCloud accounts.\u003cbr\u003e\n\tIn response to this attack, we have developed a set of detection rules to help identify potential exploitation attempts and take proactive measures to protect systems.\u003cbr\u003e\n\tThis package contains rules that can be categorized into three groups:\n\t\u003cul\u003e\n\t\t\u003cli\u003eIOC monitoring:\u003c/li\u003e\n\t\t\t\u003cul\u003e\n\t\t\t\t\u003cli\u003eSource IP address\u003c/li\u003e\n\t\t\t\t\u003cli\u003eUsername\u003c/li\u003e\n\t\t\t\t\u003cli\u003eCreation of a new account with a specific name\u003c/li\u003e\n\t\t\t\u003c/ul\u003e\n\t\t\u003cli\u003eCritical administrator activity:\u003c/li\u003e\n\t\t\t\u003cul\u003e\n\t\t\t\t\u003cli\u003eLogin from a new IP address\u003c/li\u003e\n\t\t\t\t\u003cli\u003eCreation of a new administrator account\u003c/li\u003e\n\t\t\t\t\u003cli\u003eLogin via SSO\u003c/li\u003e\n\t\t\t\t\u003cli\u003eLogin from a public IP address\u003c/li\u003e\n\t\t\t\t\u003cli\u003eExport of system configuration\u003c/li\u003e\n\t\t\t\u003c/ul\u003e\n\t\t\u003cli\u003eSuspicious Activity:\u003c/li\u003e\n\t\t\t\u003cli\u003eExport of configuration or creation of an account immediately after a suspicious login\u003c/li\u003e\n\t\u003c/ul\u003e\n\t\u003cbr\u003e\n\t\u003cb\u003eImportant Notes:\u003c/b\u003e\u003cbr\u003e\n\tRules marked with \"info\" may generate false positives, as the actions are legitimate but critical to monitor for this attack. To reduce false positives, exceptions should be added for legitimate administrative activity, such as IP addresses or accounts.\u003cbr\u003e\n\tRules marked with IOC (Indicators of Compromise) may be updated with new information as new attack reports become available.\u003cbr\u003e\n\tAdditionally, these set of rules should also be used for retrospective analysis (Threat Hunting), with a recommended analysis period starting from December 2025.\u003cbr\u003e\n\t\u003cbr\u003e\n\t\u003cb\u003eRequirements\u003c/b\u003e\u003cbr\u003e\n\tTo ensure the correct functioning of detection rules, it is essential to:\n\t\u003cul\u003e\n\t\t\u003cli\u003eVerify that all necessary events from Fortinet devices are being received and correctly normalized.\u003c/li\u003e\n\t\t\u003cli\u003eEnsure that the option \"keep extra fields\" is enabled, as it contains additional information necessary for investigation.\u003c/li\u003e\n\t\u003c/ul\u003e\n\t\u003c/p\u003e\n\n\u003c/body\u003e\n\u003c/html\u003e","Language":"en","ResourceIDs":["1e9db3b8-b15f-45a2-b121-5b394fc5f7d9","649b3dcb-8ced-496b-b927-0a3ab402fcda","ead129bd-db4d-4a99-bb7d-b9bafae3ff69","09b68cce-8f2b-43ec-8dbc-6cd4a1b20439","6474b33a-3cfc-4731-8fed-d88210b6a97d","67c6ea4f-8d80-4a98-9fe7-b13feb5b6123","78465d1d-6b75-4460-9808-5959229901c4","bc213efa-eb38-4495-a142-cd3320aad89c","e454bd09-e9e9-4527-a083-499b1d4cb4f0","fa697fea-2878-4df0-a38f-1a36f4753b79"],"Emergency":false}