Last week, I wrote a blog post on why the problem of lawful access to encrypted data is so tricky, this week I want to continue with a discussion on the general considerations you should keep in mind when thinking about this topic.

An interesting train of thought turned out to be the question “We managed to give Law Enforcement (LE) wiretapping powers in old-style phone networks, but not in modern, Internet-based communication services. Why?” I came up with the following reasons:

CERT.at gained access to a toolkit of an unknown threat actor targeting FortiCloud SSO bypass in Fortinet appliances (CVE-2025-59718/CVE-2025-59719). We are releasing under TLP:CLEAR key findings about likely post-exploitation goals of the attacker.

In December last year, Fortinet disclosed a vulnerability in SAML processing, which allowed full bypass of authentication to management interfaces with FortiCloud SSO enabled. According to new, still not officially confirmed reports, the vulnerability may not have been fully patched. As affected devices are represented in my small high-interactive honeypots network, we have an opportunity to take a look at what the attackers do.