All news with #saml misconfiguration tag

⚠️ Administrators using Cisco Webex Services with SSO integrated via Control Hub must upload a new identity provider (IdP) SAML certificate to remediate a critical impersonation vulnerability (CVE-2026-20184). Cisco has patched the cloud-side service, but affected customers must perform the configuration change in Control Hub; there are no workarounds. Cisco also released critical fixes for ISE and ISE-PIC addressing remote code execution and path traversal flaws that require patching and credential hygiene.

🔒 Cisco released updates addressing four critical vulnerabilities, including a fixed improper certificate validation bug in Webex Services SSO integration (CVE-2026-20184) that could enable user impersonation via crafted tokens. While Cisco patched the service-side defect, customers using SSO must upload a new SAML certificate for their IdP into Control Hub to avoid service interruptions. The company also fixed three critical ISE flaws that require administrative credentials to exploit.

⚠️ A critical out-of-bounds read vulnerability (CVE-2026-3055), disclosed by Citrix on March 23, is being actively exploited against NetScaler ADC and NetScaler Gateway appliances configured as SAML Identity Providers. The flaw (CVSS v4.0 9.3) allows unauthenticated attackers to leak memory contents via crafted SAMLRequest payloads. Citrix and security researchers urge immediate patching to the listed firmware releases and recommend checking NetScaler configurations for SAML IDP profiles.

🔍 A critical input-validation flaw in Citrix NetScaler ADC and NetScaler Gateway (CVE-2026-3055, CVSS 9.3) is being actively probed in the wild, security firms Defused Cyber and watchTowr report. The bug can cause memory overread and may leak sensitive data when appliances are configured as a SAML Identity Provider. Attackers are enumerating auth methods via /cgi/GetAuthMethods to identify vulnerable SAML IDP setups. Organizations should apply vendor patches immediately.

🔔 A new critical out-of-bounds read vulnerability, CVE-2026-3055, affects customer-managed Citrix NetScaler ADC and NetScaler Gateway appliances configured as SAML IDPs and is rated 9.3 on the CVSS scale. The flaw allows unauthenticated remote attackers to leak potentially sensitive memory from the appliance, risking exposure of credentials and secrets. Citrix is urging immediate installation of updated builds and defenders should reduce public exposure and prioritize patching.

⚠️ Citrix has released patches for two NetScaler vulnerabilities, including a critical memory overread (CVE-2026-3055) that affects appliances configured as SAML identity providers and can expose session tokens. The vendor also fixed CVE-2026-4368, a race-condition flaw on Gateway and AAA configurations that may cause user session mix-ups. Citrix strongly urges administrators to install the specified updates immediately and offers guidance to locate and remediate affected instances.

🔒 Fortinet has confirmed a new attack campaign that exploits an unpatched zero-day vulnerability to bypass authentication across SAML SSO implementations, including FortiCloud SSO. The activity, observed in mid-January, involves extraction of firewall configurations and creation of administrative and VPN-capable accounts. Fortinet is working on a fix and recommends updating to the latest releases, restoring clean backups, rotating all credentials, disabling FortiCloud SSO administrative logins, and restricting administrative access to trusted subnets.

🔒 Fortinet confirmed active exploitation of a FortiCloud SSO authentication bypass affecting fully patched FortiGate firewalls. The vendor said attackers exploited a new attack path that can circumvent patches addressing CVE-2025-59718 and CVE-2025-59719 by using crafted SAML messages when FortiCloud SSO is enabled. Observed activity includes creation of generic admin accounts, configuration changes to enable VPN access, and configuration exfiltration. Fortinet recommends restricting internet-facing administrative access and disabling the admin-forticloud-sso-login feature while a full remediation is finalized.

🔒 Fortinet issued an advisory describing two FortiCloud SSO bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) discovered during an internal code audit. The flaws allowed crafted SAML assertions to bypass authentication on FortiOS, FortiWeb, FortiProxy, and FortiSwitch Manager when FortiCloud SSO was enabled. Recent reports show active exploitation, including instances against fully patched devices, indicating a new attack path. Fortinet advises monitoring IOCs, restricting administrative access, disabling FortiCloud SSO as a workaround, and treating affected systems as compromised.

🔒 Arctic Wolf warns of a new cluster of automated malicious activity that began on January 15, 2026, involving unauthorized configuration changes to Fortinet FortiGate devices. Attackers exploited SAML-related weaknesses (CVE-2025-59718, CVE-2025-59719) to bypass FortiCloud SSO, create generic admin accounts such as cloud-init@mail.io and names like secadmin or itadmin, and export firewall configurations to external IPs. Administrators are advised to disable the admin-forticloud-sso-login setting until mitigations are confirmed.

🔒 Researchers report active exploitation of two critical FortiCloud SSO authentication bypasses (CVE-2025-59718, CVE-2025-59719) that can grant unauthenticated admin access to multiple Fortinet products. The flaws stem from improper verification of SAML cryptographic signatures, enabling forged assertions to bypass login controls. Attacks observed from December 12 targeted admin accounts and led to exfiltration of system configuration files. Administrators should disable FortiCloud SSO if unable to upgrade and apply vendor patches immediately.

🔒 Arctic Wolf observed active intrusions on December 12, 2025 exploiting two critical Fortinet authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719). The flaws, both scored 9.8, permit unauthenticated bypass of SSO login via crafted SAML messages when FortiCloud SSO is enabled; Fortinet published patches for FortiOS, FortiWeb, FortiProxy and FortiSwitchManager last week. Attackers used hosting IPs tied to providers such as The Constant Company llc, Bl Networks and Kaopu Cloud Hk Limited to log in as "admin" and export device configurations. Organizations should apply updates immediately, disable FortiCloud SSO until systems are patched, restrict management access and assume compromise if IoCs are present.

🔓Researchers revealed new XML-parsing exploits that severely weaken SAML-based SSO, demonstrating full authentication bypass against popular Ruby and PHP SAML libraries. PortSwigger researcher Zak Fedotkin presented these techniques at Black Hat Europe and published an open-source toolkit to identify and reproduce affected deployments. The work highlights attack vectors such as attribute pollution, namespace confusion, and a new class of void canonicalization that can circumvent XML signature validation. While fixes (including updates to Ruby-SAML) have been released, Fedotkin warns that only a foundational rework of SAML libraries will eliminate these systemic weaknesses.

🔒 Fortinet has released patches for two critical cryptographic signature vulnerabilities, CVE-2025-59718 and CVE-2025-59719, that can allow an unauthenticated attacker to bypass FortiCloud SSO using a crafted SAML message on affected FortiOS, FortiWeb, FortiProxy and FortiSwitchManager devices. Administrators are advised to disable FortiCloud SSO immediately if it is enabled, apply vendor updates to non‑vulnerable versions, and then re-enable SSO only after verifying patches. Fortinet notes the feature is not enabled by factory default but can be activated during FortiCare registration; the company and responders recommend using the System -> Settings toggle or the CLI command sequence to disable login until patched.