惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Project Zero
Project Zero
Martin Fowler
Martin Fowler
人人都是产品经理
人人都是产品经理
C
Check Point Blog
S
SegmentFault 最新的问题
腾讯CDC
IT之家
IT之家
Jina AI
Jina AI
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
B
Blog RSS Feed
博客园 - Franky
V
Visual Studio Blog
The Register - Security
The Register - Security
GbyAI
GbyAI
博客园 - 【当耐特】
Hugging Face - Blog
Hugging Face - Blog
U
Unit 42
Google DeepMind News
Google DeepMind News
Microsoft Security Blog
Microsoft Security Blog
Y
Y Combinator Blog
云风的 BLOG
云风的 BLOG
博客园 - 三生石上(FineUI控件)
Schneier on Security
Schneier on Security
N
News and Events Feed by Topic
T
Troy Hunt's Blog
小众软件
小众软件
Scott Helme
Scott Helme
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
TaoSecurity Blog
TaoSecurity Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
C
CERT Recently Published Vulnerability Notes
aimingoo的专栏
aimingoo的专栏
T
The Exploit Database - CXSecurity.com
Know Your Adversary
Know Your Adversary
G
GRAHAM CLULEY
T
Tenable Blog
P
Palo Alto Networks Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
S
Schneier on Security
Simon Willison's Weblog
Simon Willison's Weblog
H
Help Net Security
WordPress大学
WordPress大学
The Cloudflare Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
MongoDB | Blog
MongoDB | Blog
Forbes - Security
Forbes - Security
H
Hackread – Cybersecurity News, Data Breaches, AI and More
W
WeLiveSecurity
I
InfoQ
P
Privacy International News Feed

The Register - Security: CSO

Anthropic's Mythos has The Kettle crew curious, skeptical 'People's Panel' to check if UK wants controversial Digital ID will cost £630K Top npm package backdoored to drop dirty RAT on dev machines Lightning-fast exploits mean patch fast, says Cisco Talos Lightning-fast exploits mean patch fast, says Cisco Talos Smooth criminals talking their way into cloud environments, Google says Cybercrime up 245% since the start of the Iran war Scattered Lapsus$ Hunters seeks women to defraud helpdesks Every day in every way, passwords are getting worse CISA quietly updated ransomware flags on 59 flaws last year Deepfake job seeker applied to work for an AI security firm Deepfake job seeker applied to work for an AI security firm AI-powered cyberattack kits are 'just a matter of time' AI-powered cyberattack kits are 'just a matter of time' FortiGate SSO bug still exploitable despite December patch Judge tosses CrowdStrike shareholder suit over 2024 outage DRAM shortage may drive firewall prices higher: analysts Ransomware attacks kept climbing in 2025 as gangs refused to stay dead Around 1,000 systems compromised in ransomware attack on Romanian water agency 1,000 systems pwned in Romanian Waters ransomware attack Half of exposed React servers remain unpatched amid attacks CISA warns spyware crews are breaking into Signal and WhatsApp accounts FCC guts Salt Typhoon telco rules despite espionage risk CISA orders feds to patch Oracle Identity Manager zero-day SEC drops SolarWinds lawsuit that painted a target on CISOs everywhere SEC bails on SolarWinds lawsuit Palo Alto kit sees massive surge in malicious activity amid mystery traffic flood Palo Alto kit sees massive surge in malicious activity Countries use cyber targeting to plan strikes: Amazon CSO Overconfidence is the new zero-day as teams stumble through cyber simulations UK's Cyber Security and Resilience Bill makes Parliamentary debut Cyber insurers paid out over twice as much for UK ransomware attacks last year Cyberpunks mess with Canada's water, energy, and farm systems Trump's workforce cuts blamed as America's cyber edge dulls Feds flag active exploitation of patched Windows SMB vuln How malware vaccines could stop ransomware's rampage Salesforce refuses to pay ransomware crims' extortion demand Germany slams brakes on EU's Chat Control snoopfest Germany slams brakes on EU's Chat Control snoopfest Employees regularly paste company secrets into ChatGPT Oracle tells Clop-targeted EBS users to apply July patch Red Hat repos raided, claims cybercrew, files stolen Suspected Chinese spies broke into 'numerous' enterprises UK gov acknowledges 'strong case' for JLR financial support JLR extends shutdown – again – as toll on workers laid bare UK chancellor blames cyberattacks on Russia despite evidence Fortra discloses 10/10 severity bug in GoAnywhere MFT Entra ID bug could have granted access to every tenant UEFI Secure Boot for Linux Arm64 – where do we stand? JLR says cyber cleanup to take additional week Insider blamed for FinWise data breach affecting nearly 700K Nork snoops whip up fake military ID with help from ChatGPT UK government dragged for incomplete security reforms Church of England abuse victims exposed by lawyer's email US spy chief claims UK backdown on Apple backdoor demand Workday confirms CRM breach via social engineering Black Hat/DEF CON: AI more useful for defense than hacking Ex-White House cyber guru talks Microsoft security fails CISA releases malware analysis for Sharepoint Server attack China: US spies used Microsoft Exchange 0-day to steal info Security pros drowning in threat-intel data Identity attacks surge 156% as phishermen get craftier Organizations can’t keep up with supply chain security musts Amazon CISO: Iranian hacking crews ‘on high alert’ UK data watchdog fines 23andMe £2.3M over 2023 breach Employers are demanding too much from junior cyber recruits FCA warned four staffers who pocketed regulator data Ransomware just wrecked your network – now what? Ivanti RCE attacks 'ongoing,' exploitation hits clouds Ex-NSA listened to Scattered Spider's calls: 'They're good' Snowflake CISO talks lessons learned from breaches, improv Why CVSS is failing us and what we can do about it Infosec pros still aren't nailing the basics of AI security Ransomware crims targeting systems between IT and operations Why aggregating asset inventory leads to better security NCSC and industry at odds over how to tackle shoddy software Powerschool extortionists may not have deleted stolen data CrowdStrike trims workforce by 5 percent, aims to rely on AI NSO Group must pay Meta $168M in WhatsApp spy case Ghost in the shell script: Boffins seek code correctness How Intruder finds what others miss in cloud security Linux malware can avoid syscall-based endpoint protection Infosec pro blabs about alleged malware mishap on LinkedIn The future of AI in cybersecurity in a word – optimistic CVE board 'kept in the dark' on funding, members say Security snafus caused by third parties up from 15% to 30% Blue Shield shared 4.7M people's health info with Google Ads Who needs phishing when your login's already in the wild? US cyber defenses are being dismantled from the inside Bug hunter obtains an SSL cert for Alibaba Cloud in 5 steps
FortiGate SSO bug still exploitable despite December patch
Carly Page Carly Page · 2026-01-23 · via The Register - Security: CSO

CSO

Fix didn't quite do the job – attackers spotted logging in

Fortinet has confirmed that attackers are actively bypassing a December patch for a critical FortiCloud single sign-on (SSO) authentication flaw after customers reported suspicious logins on devices supposedly fully up to date.

In a new advisory, Fortinet said it had identified a fresh attack path being used to abuse SAML-based SSO in FortiOS, even on systems that had already applied the vendor's earlier fix.

The disclosure follows reports earlier this week that FortiGate firewalls were quietly reconfigured via compromised SSO accounts, with attackers altering firewall settings, creating backdoor admin users, and exfiltrating configuration files.

Arctic Wolf said the campaign kicked off around January 15, with attackers spinning up VPN-enabled accounts and ripping out firewall configuration files in a matter of seconds – behavior strongly suggesting automation rather than careful, hands-on-keyboard work. The security firm added that the activity closely mirrors incidents it observed back in December, in the wake of Fortinet's disclosure of the supposedly patched SSO authentication bypass flaw.

"Recently, a small number of customers reported unexpected login activity occurring on their devices, which appeared very similar to the previous issue," said Fortinet chief information security officer Carl Windsor.

"However, in the last 24 hours, we have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path."

"Fortinet product security has identified the issue, and the company is working on a fix to remediate this occurrence," Windsor said. "An advisory will be issued as the fix scope and timeline is available."

While exploitation has so far only been observed via FortiCloud SSO, Windsor warned that the underlying weakness is not limited to that service.

"It is important to note that while, at this time, only exploitation of FortiCloud SSO has been observed, this issue is applicable to all SAML SSO implementations." That's not the sort of detail likely to calm anyone responsible for keeping these boxes locked down.

Fortinet has not yet published technical details of the alternate attack path, though the company says investigations are ongoing. In the meantime, it has advised customers to review authentication logs for any unexpected login activity, restrict exposure of the management interface, and closely monitor changes to administrator accounts.

For now, Fortinet customers are left watching the logs and waiting for another fix — this time hoping it actually closes the door. ®