When Fully Patched Isn't Enough: The Fortinet SSO Bypass That's Keeping Us All Awake

Page content

When Fully Patched Isn’t Enough: The Fortinet SSO Bypass That’s Keeping Us All Awake

I’ll be honest – when I saw the headlines about Fortinet confirming active exploitation on fully patched FortiGate firewalls, my stomach dropped a little. We’ve all been there: you patch everything, check your compliance dashboards, and feel that brief moment of security satisfaction. Then reality comes knocking with news like this.

The Patch That Wasn’t Enough

Here’s what we know so far. Fortinet has confirmed they’re dealing with a FortiCloud SSO authentication bypass vulnerability that’s being actively exploited, even on devices running the latest firmware. The really unsettling part? They’ve identified multiple cases where attacks succeeded on fully upgraded devices, suggesting we’re looking at either a new variant or something that slipped through their initial fix.

This hits close to home because FortiGate firewalls are everywhere in enterprise environments. I can think of at least a dozen clients running these devices as their primary perimeter defense. The fact that attackers are bypassing SSO authentication means they could potentially gain administrative access to these critical security appliances.

What’s particularly concerning is the timing. When vendors say they’ve “identified cases in the last 24 hours,” it usually means the problem is bigger than initially thought. My guess? We’re going to see more details emerge over the next few days as Fortinet works through their incident response.

Supply Chain Concerns Keep Multiplying

Speaking of things that make you lose sleep, we’re seeing supply chain security concerns pop up in some unexpected places. Take the situation unfolding in Australia, where the government is reviewing Chinese-manufactured electric buses deployed across the country and Europe. These buses have vulnerabilities that cybercriminals could exploit, plus remote connectivity features that have officials worried about potential state-level access.

This might seem like it’s outside our usual scope, but think about it – these buses are connected devices operating in critical infrastructure environments. They’re collecting location data, potentially interfacing with traffic management systems, and running software that could serve as a foothold for broader attacks. It’s another reminder that our attack surface extends far beyond traditional IT assets.

The geopolitical angle here is worth noting too. Europe is increasingly concerned about overreliance on US cybersecurity companies, and recent political tensions aren’t helping build trust. As security professionals, we need to think about how these broader political dynamics affect our technology choices and risk assessments.

PyPI Package Poisoning Gets Personal

On the software supply chain front, we’ve got another malicious PyPI package making rounds. This one’s called “sympy-dev” and it’s impersonating the legitimate SymPy mathematics library. The attackers copied the project description word-for-word to trick developers into installing their cryptocurrency miner.

What makes this particularly sneaky is the naming convention. Developers often look for development versions of packages, so “sympy-dev” seems plausible enough to slip past a quick review. Once installed on Linux hosts, it deploys XMRig miners and potentially other payloads.

This is exactly why we need better package verification processes in our development pipelines. I’ve been pushing teams to implement package signing verification and use private repositories with approved packages whenever possible. It’s extra work upfront, but incidents like this prove it’s worth the investment.

AI Agents: The New Browser Security Nightmare

Here’s something that caught my attention from a different angle entirely. Security researchers are raising concerns about how AI agents are undermining decades of browser security improvements. Agentic browsers are essentially undoing all the careful work browser companies have done to strengthen security.

Think about it – we’ve spent years building sandboxing, same-origin policies, and content security protections. Now we’re introducing AI agents that need broader access to function effectively. It’s like we’re voluntarily poking holes in our own security model.

This isn’t theoretical either. As AI agents become more common in enterprise environments, we’re going to need new approaches to manage the risks they introduce. Traditional browser security assumes a human user making conscious decisions about what sites to visit and what actions to take. AI agents operate differently, potentially visiting thousands of sites and processing content at scale.

What This Means for Us

Looking at these stories together, I see a few common themes that should influence how we approach security planning:

First, the Fortinet situation reinforces that we can’t treat patching as a one-and-done activity. We need better monitoring for signs of compromise, even on supposedly up-to-date systems. If you’re running FortiGate devices, now’s a good time to review your authentication logs and look for anomalies.

Second, supply chain security isn’t just about software anymore. We need to think holistically about all the connected devices and services in our environment, including things that might not traditionally fall under IT security oversight.

Finally, as we adopt new technologies like AI agents, we need to be intentional about understanding the security trade-offs we’re making. The convenience and capability gains are real, but so are the risks.

The security landscape keeps evolving, and sometimes it feels like we’re playing whack-a-mole with new attack vectors. But that’s exactly why we do this work – someone needs to stay on top of these emerging threats and help organizations navigate them safely.

Sources