Fortinet has acknowledged that a December patch intended to fix a critical vulnerability in its FortiCloud single sign-on (SSO) system failed to fully resolve the issue. Despite applying the update, customers reported suspicious login attempts on their devices. Fortinet's latest advisory reveals that attackers are exploiting a new attack vector that affects SAML-based SSO in FortiOS, even on systems that were fully upgraded with the previous patch. Reports indicate that since around January 15, attackers have been manipulating FortiGate firewalls through compromised SSO accounts. They altered firewall settings, created unauthorized admin users, and extracted configuration files, suggesting the use of automated tools rather than manual infiltration. Fortinet’s Chief Information Security Officer, Carl Windsor, noted that the recent login activity closely mirrors earlier incidents linked to the same vulnerability. The company is currently investigating the new exploit and plans to issue a fix soon. While Fortinet has only observed exploitation through the FortiCloud SSO service, the underlying vulnerability could affect all implementations of SAML SSO. The lack of detailed technical information about this new attack path raises concerns for security professionals managing these systems. In the meantime, Fortinet advises customers to monitor authentication logs for unusual activity, limit access to management interfaces, and keep a close eye on any changes to admin accounts.