CERT.at gained access to a toolkit of an unknown threat actor targeting FortiCloud SSO bypass in Fortinet appliances (CVE-2025-59718/CVE-2025-59719). We are releasing under TLP:CLEAR key findings about likely post-exploitation goals of the attacker.

In December last year, Fortinet disclosed a vulnerability in SAML processing, which allowed full bypass of authentication to management interfaces with FortiCloud SSO enabled. According to new, still not officially confirmed reports, the vulnerability may not have been fully patched. As affected devices are represented in my small high-interactive honeypots network, we have an opportunity to take a look at what the attackers do.

Who says that only software needs regular updates? Laws are similar, the process is just much more complicated.

What can Monty Python's "Life of Brian" tell us about LLM security?