In December 2025, Casmer Labs observed the disclosure of critical authentication bypass vulnerabilities in Fortinet’s Fortigate firewalls CVE-2025-59718 and CVE-2025-59719. In late January, however, Casmer Labs began tracking a campaign that bypassed the original patches pushed to remediate the aforementioned vulnerabilities.

How It Works

The two vulnerabilities primarily exploit the cryptographic verification process of SAML 2.0 assertions. In a standard flow, the IdP signs an XML assertion, after which the service provider (FortiGate) verifies the signature. CWE-347 suggests that FortiOS is failing to correctly link the signature to the data it supposedly validates.

The initial patch, released in December 2025, appears to have applied a superficial filter (such as a regex check) instead of fixing the underlying XML parsing logic. As a result, the current patch bypass likely relies on XML Signature Wrapping, allowing attackers to adapt the XML structure and inject malicious assertions that bypass the cryptographic check but still trick the logic into granting super_admin access.

Casmer Labs has been tracking the main threat actor utilizing these patch bypasses, the “Cloud-Init” group. Some aspects of note are:

• The attacker uses specific nicknames such as cloud-init@mail.io and cloud-noc@mail.io to blend in with legitimate DevOps traffic
• The group has shifted from standard hosting providers to hiding behind CloudFlare IPs
• Estimates suggest that over 30,000 instances have been exposed to date, with the majority of them being “patched” but still vulnerable

The primary objective we are seeing is the exfiltration of fortigate.conf, which can contain hashed local passwords, VPN pre-shared keys, and service account credentials for LDAP/AD. Once this file is obtained, attackers have achieved persistence and do not need to utilize the vulnerability anymore.

The Downstream Risk

While this is not a vulnerability in Amazon S3 or any of its protocols, the persistent FortiGate vulnerability presents a second-order threat to data stored in the cloud. As many organizations use FortiGate appliances to manage traffic to and from cloud storage resources (or worse, store AWS access keys and secrets within the appliance configuration fortigate.conf), these credentials are at risk of being compromised or stolen.

If an attacker gains full administrative control of FortiGate via this bypass, the aforementioned keys and secrets could be used to access, configure, or exfiltrate data from cloud storage resources such as Amazon S3.

Prevention Methods and IOCs

Since versions 7.4.9 and 7.2.12 are still vulnerable, applying the latest patch is a currently insufficient fix. Casmer Labs recommends the following immediate actions:

• Disable FortiCloud SSO
• Monitor for the following IOCs:
  • SSO logins
    • cloud-noc@mail.io
    • cloud-init@mail.io
  • IP addresses
    • 104[.]28.244.115
    • 104[.]28.212.114
    • 37[.]1.209.19
    • 217[.]119.139.50
  • Example log demonstrating a malicious login event
    • date=<date> time=<time> devname=”FGT60FXXXXXXX” devid=” FGT60FXXXXXXX” eventtime=<eventtime> tz=”<timezone>” logid=”0100032001″ type=”event” subtype=”system” level=”information” vd=”root” logdesc=”Admin login successful” sn=” FGT60FXXXXXXX” user=”cloud-init@mail.io” ui=”sso(104.28.244.115)” method=”sso” srcip=104.28.244.115 dstip=<management IP> action=”login” status=”success” reason=”none” profile=”super_admin” msg=”Administrator cloud-init@mail.io logged in successfully from sso(104.28.244.115)”

Casmer Labs will continue to monitor this campaign and update the article as Fortinet releases verified fixes for this bypass.