On January 21, 2026, Fortinet confirmed something that should alarm every security professional: attackers were successfully compromising FortiGate firewalls that had been fully patched against two critical SAML SSO bypass vulnerabilities disclosed just a month earlier. Versions 7.4.9 and 7.4.10, which were supposed to contain the fix, were being breached through what Fortinet acknowledged was "a new attack path."
The vulnerabilities, CVE-2025-59718 and CVE-2025-59719, both rated 9.8 CVSS, allow unauthenticated attackers to bypass single sign-on authentication via crafted SAML messages. No credentials required. Just a malicious SAML response, and attackers gain administrative access to your firewall.
This isn't a hypothetical threat. Arctic Wolf began observing active intrusions on December 12, 2025. CISA added CVE-2025-59718 to its Known Exploited Vulnerabilities catalog on December 16, requiring federal agencies to patch by December 23. Attackers logged in using generic account names like "cloud-noc@mail.io" and "cloud-init@mail.io," created persistent backdoor accounts with names like "helpdesk" and "secadmin," modified VPN configurations, and exfiltrated firewall settings to external IP addresses.
And here's the part that should keep you up at night: Fortinet now acknowledges that "while, at this time, only exploitation of FortiCloud SSO has been observed, this issue is applicable to all SAML SSO implementations."
Your perimeter, the very thing designed to keep attackers out, became the entry point.
When the Gate Becomes the Breach
The Fortinet incident is a textbook illustration of why perimeter-centric security is failing. The firewall, the literal definition of network perimeter defense, was the attack vector. The authentication system, designed to verify identity before granting access, was bypassed entirely.
This pattern isn't new. It's accelerating.
According to DeepStrike's analysis of 2025 breach statistics, stolen and misused credentials are now the primary path into networks and the driver of record-setting breach costs. The average cost of a data breach in the United States reached $10.22 million in 2025, a 9% increase. Identity has become the new perimeter, and as the Fortinet case demonstrates, identity systems themselves are under attack.
The 2025 Verizon Data Breach Investigations Report found that breaches involving third parties jumped to 30%, up from roughly 15% the year before. That's a doubling in a single year. When you're connected to everyone, through SSO federations, SAML integrations, OAuth tokens, and API connections, every one of those connections is a potential breach path.
I've written about this dynamic in The Invisible Attack Surface: Why Third-Party Data Sharing Is 2026's Biggest Security Risk, where I noted that 98% of organizations have a relationship with a third party that has been breached. The question isn't if you'll be affected but when.
The Patch Treadmill Doesn't Work
What makes the Fortinet situation especially instructive is the timeline. The vulnerabilities were disclosed in December 2025. Patches were released. Organizations applied them. And by January 2026, attackers had found a new path to exploit the same underlying flaw in "fully upgraded appliances."
This is the patch treadmill in action, and it's not a sustainable security model.
I explored this same pattern in MongoBleed: When a Single Line of Code Exposes 87,000 Servers. A seven-day window from public exploit to widespread exploitation. Seven days for organizations to patch every vulnerable instance. The organizations with the best security posture (managed services, automated updates, current versions) get protected automatically. The organizations with the weakest posture bear the full burden of response.
With Fortinet, even organizations that did everything right, who patched promptly, who followed vendor guidance, still got breached through an attack path the patch didn't address.
The World Economic Forum's Global Cybersecurity Outlook reports that 72% of respondents experienced increased cyber risks driven partly by supply chain complexity. Small organizations are particularly vulnerable, with 35% believing their cyber resilience is inadequate, a proportion that has increased sevenfold since 2022.
When your security model depends on perfect patching, perfect vendor response, and no zero-day attack paths, you're operating on hope, not defense.
What Attackers Actually Got
Let's be specific about what happens when a FortiGate firewall is compromised through this vulnerability.
Attackers gain administrative access to the firewall itself. From there, they can:
- Export device configurations containing stored credentials
- Create persistent backdoor accounts that survive password rotations
- Modify VPN configurations to enable unauthorized access
- Exfiltrate configuration data to external servers
- Pivot to internal network resources the firewall was designed to protect
The credentials stored in firewall configurations often include LDAP and Active Directory service accounts, VPN authentication credentials, and API keys for connected services. A single compromised firewall can cascade into domain-wide access.
This is the "blast radius" problem I discuss with enterprises regularly. When a perimeter device is compromised, it's not just that device; it's everything that device was protecting, and everything that device has credentials to access.
The Case for Field-Level Protection
Here's where I'm going to advocate for something I've been building toward in my work at Capital One Software: the shift from perimeter security to data-centric security, specifically field-level protection through tokenization.
The fundamental problem with perimeter security is that once the perimeter is breached, whether through a SAML bypass, a compromised credential, or any other attack vector, the data inside is fully exposed. All of it. In plaintext. Ready for exfiltration.
As Protegrity's analysis puts it: organizations that embrace data-centric security achieve a more resilient, adaptable, and regulation-ready security posture. By securing data at its source, you minimize the impact of potential breaches.
The key lesson from 2025 breaches, according to DeepStrike: "Mitigate these risks with data-centric encryption, so that even if stolen, it's unusable."
Field-level tokenization takes this to its logical conclusion. Instead of encrypting entire databases or file systems, which still require decryption keys that can be compromised, tokenization replaces sensitive values with format-preserving tokens at the field level. A Social Security number becomes a token that looks like a Social Security number but is cryptographically meaningless without access to the tokenization system.
The result: even if attackers breach your perimeter, export your configurations, access your databases, and exfiltrate your data, the sensitive fields contain tokens, not values. The crown jewels they steal are costume jewelry.
Why This Matters for the Fortinet Case
Consider the Fortinet breach scenario through the lens of field-level protection.
Attackers bypass SAML SSO and gain administrative access to the firewall. They export device configurations. Those configurations contain credentials for LDAP, Active Directory, and connected services.
In a traditional architecture, those credentials are plaintext. The attackers now have everything they need to move laterally through the network.
In a tokenized architecture, those credential fields contain tokens. The tokens are format-correct (they look like passwords, they look like API keys) but they're semantically meaningless. The attackers have configuration files full of values that don't work.
Will they eventually figure out they've been tokenized? Probably. But you've bought time. You've contained the blast radius. The firewall breach doesn't automatically cascade into domain compromise.
This is the "costume jewelry" strategy I discussed in The Invisible Attack Surface: make the data that attackers can reach look real enough to be plausible, but ensure it's inherently worthless if exfiltrated.
Moving Beyond "Trust but Verify"
The Fortinet incident also exposes the limitations of the "Zero Trust" mantra of "never trust, always verify." When your verification system itself is compromised through a SAML bypass, verification becomes meaningless.
True Zero Trust requires assuming that any component can be compromised at any time. That includes:
- Your firewalls and perimeter devices
- Your identity providers and SSO systems
- Your cloud vendors and SaaS platforms
- Your internal applications and databases
When you assume breach at every layer, the only logical security model is one where the data itself is protected regardless of where it resides or who accesses it.
This aligns with what I've advocated in Building AI Systems That Enterprises Can Trust: protection that travels with the data, not protection that stops at a perimeter. The same principle that applies to AI data protection applies to enterprise security more broadly.
Practical Steps Forward
If you're running FortiGate appliances:
Immediately disable FortiCloud SSO and restrict administrative access via local-in policies. This won't protect against all SAML SSO attack paths, but it closes the currently exploited vector.
Rotate all credentials stored in or accessible from your FortiGate configurations. Assume they've been exfiltrated. This includes LDAP bind accounts, VPN credentials, and any API keys or service accounts.
Hunt for indicators of compromise. Look for accounts with names like "helpdesk," "secadmin," or "itadmin" that you didn't create. Check for unexplained configuration exports or modifications to VPN settings.
Beyond the immediate incident response:
Inventory your perimeter exposure. How many of your security devices are directly accessible from the internet? Each one is an attack surface, not just a defense layer.
Evaluate tokenization for sensitive data stores. Start with the highest-value targets: credential stores, customer PII, financial data. Even partial tokenization contains blast radius.
Assume your SSO will be bypassed. Design your architecture so that SSO compromise doesn't equal total compromise. Defense in depth means having layers beyond authentication.
The Uncomfortable Truth
The Fortinet SSO breach proves what security professionals have been warning about for years: perimeter security alone cannot protect modern enterprises. Firewalls get bypassed. Authentication systems get fooled. Patches get circumvented.
The organizations that will weather the next breach, and there will be a next breach, are those building data-centric security models today. Not as a replacement for perimeter security, but as the layer that matters when the perimeter inevitably fails.
It's not a question of if you'll be breached. It's a question of what attackers will find when they get inside. If the answer is "tokenized values they can't use," you've fundamentally changed the economics of the attack.
That's the security posture we should be building toward, one where breaching the perimeter is just the beginning of the attacker's problems, not the end of yours.
