Full Report
Threat actors have begun to exploit two newly disclosed security flaws in Fortinet FortiGate devices, less than a week after public disclosure. Cybersecurity company Arctic Wolf said it observed active intrusions involving malicious single sign-on (SSO) logins on FortiGate appliances on December 12, 2025. The attacks exploit two critical authentication bypasses (CVE-2025-59718 and CVE-2025-59719
Analysis Summary
# Vulnerability: Fortinet FortiGate Critical Authentication Bypass Exploiting SAML SSO
## CVE Details
- CVE ID: CVE-2025-59718, CVE-2025-59719 (Two critical authentication bypasses)
- CVSS Score: 9.8 (Critical)
## Affected Systems
- Products: FortiOS, FortiWeb, FortiProxy, FortiSwitchManager (All likely affected where the feature is enabled)
- Versions: Versions prior to the patch release (Specific versions not detailed in the source, refer to Fortinet advisory).
- Configurations: Vulnerable only if the **FortiCloud SSO feature is enabled** (This feature is automatically enabled during FortiCare registration unless explicitly disabled).
## Vulnerability Description
The vulnerabilities are two critical authentication bypass flaws that allow an unauthenticated attacker to bypass Single Sign-On (SSO) login protection. This is achieved by sending specifically crafted Security Assertion Markup Language (SAML) messages to the affected Fortinet devices, provided the FortiCloud SSO feature is enabled. Successful exploitation leads to unauthorized administrative access.
## Exploitation
- Status: **Exploited in the wild** (Active intrusions observed starting December 12, 2025, involving malicious SSO logins to the "admin" account).
- Complexity: Implied **Low** given the rapid exploitation following disclosure and the nature of authentication bypasses.
- Attack Vector: Network (Remote, Unauthenticated)
## Impact
- Confidentiality: High (Attackers were observed exporting device configurations).
- Integrity: High (Gaining administrative access allows modification of system settings).
- Availability: Medium/High (Modification or disruption of firewall/VPN services).
## Remediation
### Patches
- Apply patches released by Fortinet for FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. (Specific version numbers are not provided; consult the official Fortinet advisory for confirmed fixed versions).
### Workarounds
1. **Disable FortiCloud SSO immediately** until systems are fully patched. This setting refers to "Allow administrative login using FortiCloud SSO."
2. **Limit access to management interfaces** (firewalls and VPNs) to only trusted internal users.
## Detection
- **Indicators of Compromise (IoCs):** Observed malicious SSO logins originating from IP addresses associated with hosting providers such as The Constant Company llc, Bl Networks, and Kaopu Cloud Hk Limited, targeting the "admin" account.
- **Post-Exploitation IoC:** Attackers exported device configurations via the GUI to the attacker-controlled IP addresses listed above.
- **Detection Methods:** Monitor SSO authentication logs for suspicious login attempts, particularly external connections attempting administrative SSO access. If successful logins are noted from untrusted IPs, assume compromise.
- **Response to Compromise:** If IoCs are found, organizations are recommended to assume compromise and **reset all hashed firewall credentials** found within the exfiltrated configurations, as attackers may attempt to crack these offline.
## References
- Vendor advisories (Fortinet) - Check official Fortinet security bulletin for CVE-2025-59718 and CVE-2025-59719.
- Relevant links - defanged: t[h]e [h]ackernews [c]om/2025/12/fortinet-fortigate-under-active-attack [h]tml