Fortinet FortiGate Under Active Attack Through SAML SSO Authentication Bypass
Summary:
Threat actors have swiftly begun exploiting two critical authentication bypass vulnerabilities, CVE-2025-59718 and CVE-2025-59719 (CVSS score: 9.8), in Fortinet FortiGate, FortiWeb, FortiProxy, and FortiSwitchManager devices. Publicly disclosed and patched by Fortinet last week, the flaws allow an unauthenticated attacker to bypass Single Sign-On (SSO) login authentication on affected devices by crafting malicious SAML messages, provided the FortiCloud SSO feature is enabled. This feature, though disabled by default, is automatically enabled upon FortiCare registration unless explicitly deselected by an administrator.
Cybersecurity firm Arctic Wolf observed active exploitation starting on December 12, 2025. The observed malicious activity involved using IP addresses linked to specific hosting providers, such as The Constant Company llc, Bl Networks, and Kaopu Cloud Hk Limited, to successfully perform SSO logins, primarily targeting the "admin" account, followed by the exfiltration of the device's configuration files via the Graphical User Interface (GUI). The primary risk post-exfiltration is the offline cracking of hashed credentials contained within the configuration files.
Security Officer Comments:
The rapid exploitation of these critical vulnerabilities (CVE-2025-59718 and CVE-2025-59719) highlights the threat to FortiGate and other affected Fortinet devices. The core risk is the unauthenticated administrative access achieved by exploiting the FortiCloud SSO feature, which is often unintentionally enabled during setup. Threat actors are immediately leveraging this access to exfiltrate configuration files, confirming their goal is to harvest hashed credentials for offline cracking, ensuring long-term persistence, and facilitating lateral movement. Organizations must treat this as an active, confirmed threat and expedite patching and disablement of the FortiCloud SSO feature immediately. The observed attacker IP addresses from providers like The Constant Company serve as temporary IoCs.
Suggested Corrections:
Upgrade to Latest Fixed Version
Reset Firewall Credentials if Affected
Limit Access to Management Interfaces of Firewall and VPN Appliances to Trusted Internal Users
Workaround
Link(s):
https://thehackernews.com/2025/12/fortinet-fortigate-under-active-attack.html
Threat actors have swiftly begun exploiting two critical authentication bypass vulnerabilities, CVE-2025-59718 and CVE-2025-59719 (CVSS score: 9.8), in Fortinet FortiGate, FortiWeb, FortiProxy, and FortiSwitchManager devices. Publicly disclosed and patched by Fortinet last week, the flaws allow an unauthenticated attacker to bypass Single Sign-On (SSO) login authentication on affected devices by crafting malicious SAML messages, provided the FortiCloud SSO feature is enabled. This feature, though disabled by default, is automatically enabled upon FortiCare registration unless explicitly deselected by an administrator.
Cybersecurity firm Arctic Wolf observed active exploitation starting on December 12, 2025. The observed malicious activity involved using IP addresses linked to specific hosting providers, such as The Constant Company llc, Bl Networks, and Kaopu Cloud Hk Limited, to successfully perform SSO logins, primarily targeting the "admin" account, followed by the exfiltration of the device's configuration files via the Graphical User Interface (GUI). The primary risk post-exfiltration is the offline cracking of hashed credentials contained within the configuration files.
Security Officer Comments:
The rapid exploitation of these critical vulnerabilities (CVE-2025-59718 and CVE-2025-59719) highlights the threat to FortiGate and other affected Fortinet devices. The core risk is the unauthenticated administrative access achieved by exploiting the FortiCloud SSO feature, which is often unintentionally enabled during setup. Threat actors are immediately leveraging this access to exfiltrate configuration files, confirming their goal is to harvest hashed credentials for offline cracking, ensuring long-term persistence, and facilitating lateral movement. Organizations must treat this as an active, confirmed threat and expedite patching and disablement of the FortiCloud SSO feature immediately. The observed attacker IP addresses from providers like The Constant Company serve as temporary IoCs.
Suggested Corrections:
Upgrade to Latest Fixed Version
- Arctic Wolf strongly recommends that customers upgrade to the latest fixed version of affected Fortinet products.
- Note: The following products are unaffected by the vulnerabilities: FortiOS 6.4, FortiWeb 7.0, and FortiWeb 7.2.
Reset Firewall Credentials if Affected
- Although credentials are typically hashed in network appliance configurations, threat actors are known to crack hashes offline, especially if credentials are weak and susceptible to dictionary attacks.
- If you observe malicious activity similar to the malicious logs described in this security bulletin, assume that hashed firewall credentials stored in the exfiltrated configurations have been compromised, and reset those credentials as soon as possible.
Limit Access to Management Interfaces of Firewall and VPN Appliances to Trusted Internal Users
- Threat actors commonly target management interfaces of firewalls and VPNs for mass exploitation, often relying on specialized search engines that facilitate identification of specific hardware configurations.
- In the last few years, Arctic Wolf observed multiple campaigns targeting management interfaces on firewalls and VPN gateways. Consider restricting all firewall management interface access to trusted internal networks as a security best security practice across all firewall configurations, regardless of network appliance vendor.
Workaround
- Turn off the FortiCloud login feature (if enabled) temporarily until upgrading to a non-affected version.To turn off FortiCloud login, go to System -> Settings -> Switch "Allow administrative login using FortiCloud SSO" to Off.
- Or type the following command in the CLI:
- config system globalset admin-forticloud-sso-login disableend
Link(s):
https://thehackernews.com/2025/12/fortinet-fortigate-under-active-attack.html