FortiGate SSO Vulnerabilities Actively Exploited With Critical Authentication Bypass Flaws

3

FortiGate SSO vulnerabilities CVE-2025-59718 and CVE-2025-59719 are currently being actively exploited, as threat actors leverage authentication bypass flaws to gain unauthorized administrative access to network devices.

Attackers craft malicious SAML messages to circumvent authentication systems, targeting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager devices with FortiCloud SSO enabled. Fortinet disclosed the critical flaws through a PSIRT advisory on December 9, 2025.

FortiCloud SSO authentication bypass occurs when FortiCloud SSO functionality remains enabled on internet-facing devices. The feature activates automatically during device registration via FortiCare unless administrators explicitly disable it. Arctic Wolf identified intrusion attempts from suspicious IP addresses associated with The Constant Company LLC and Kaopu Cloud HK Limited.

Security logs from compromised devices reveal attackers targeting default admin accounts, exporting complete device configurations containing hashed passwords, network topology details, and security policies.

Threat actors demonstrate sophisticated knowledge of Fortinet’s authentication architecture to execute these SAML-based bypass attacks.

FortiGate SSO Vulnerabilities: What You Need to Know

• Attackers exploit authentication bypass flaws through malicious SAML messages to gain administrative access on internet-facing devices.

Authentication Bypass Attack Mechanism

The exploitation centers on crafted SAML assertions that circumvent authentication procedures.

When FortiCloud SSO remains enabled, threat actors send malicious SAML messages directly to authentication endpoints, tricking systems into granting administrative privileges without valid credentials. This represents a fundamental authentication chain breakdown.

Compromised device logs show unauthorized logins from specific IP addresses, with attackers targeting default admin accounts holding elevated privileges.

Following authentication, attackers export device configurations containing sensitive information. Exported configuration files present secondary risks, as weak passwords in hashed format remain vulnerable to offline dictionary attacks.

Attackers dedicate computing resources to cracking hashes, potentially revealing credentials reused across organizational systems, making understanding critical security vulnerabilities essential for defense.

Affected Products and Patch Requirements

CVE-2025-59718 and CVE-2025-59719 impact multiple Fortinet product lines across version branches:

FortiOS versions 7.0.0 through 7.6.3 require upgrades to versions 7.0.18, 7.2.12, 7.4.9, or 7.6.4. FortiProxy versions 7.0.0 through 7.6.3 need updates to versions 7.0.22, 7.2.15, 7.4.11, or 7.6.4. FortiSwitchManager versions 7.0.0 through 7.2.6 require upgrades to version 7.0.6 or 7.2.7. FortiWeb versions 7.4.0 through 8.0.0 need updates to versions 7.4.10, 7.6.5, or 8.0.1.

Older FortiOS 6.4 and FortiWeb 7.0 and 7.2 branches remain unaffected. Organizations running vulnerable versions face immediate risk, as threat actors have weaponized these flaws and actively scan for exposed devices.

The widespread deployment of Fortinet devices in enterprise environments means thousands of organizations worldwide face critical infrastructure exposure.

Exploitation Indicators and Attack Infrastructure

Security researchers identified specific IP addresses in ongoing exploitation campaigns. Attack infrastructure utilizes hosting services from The Constant Company LLC, including IP addresses 45.32.153.218, 167.179.76.111, and 199.247.7.82.

Additional attempts originate from Kaopu Cloud HK Limited infrastructure at addresses 38.54.88.203, 38.54.95.226, and 38.60.212.97. BL Networks hosts attack node 45.61.136.7.

Compromised FortiGate devices exhibit distinctive log entries indicating successful exploitation. System logs display authentication events with “sso” method designation, listing attacking IP addresses as sources.

Following authentication, logs record configuration file downloads performed by admin accounts through graphical interfaces from identical suspicious addresses, providing forensic evidence of complete attack chains.

Attack pattern consistency suggests threat actor coordination or automated exploitation tool deployment. Systematic targeting of default admin accounts indicates sophisticated campaigns rather than opportunistic attacks.

This methodical approach emphasizes campaign sophistication and the necessity for organizations to implement proper incident response procedures when compromise indicators emerge.

Immediate Mitigation and Security Controls

Organizations unable to deploy patches immediately must implement temporary workarounds. The most effective action involves disabling FortiCloud SSO functionality.

Administrators can disable through graphical interfaces by navigating to System Settings and toggling “Allow administrative login using FortiCloud SSO” to off. Command-line administrators can execute configuration commands to disable the vulnerable feature directly.

Network segmentation provides crucial management interface protection. Administrative access to firewall devices should never face direct internet exposure. Organizations must restrict management interface access to trusted internal networks through dedicated management VLANs.

This network-level control prevents remote attackers from reaching vulnerable authentication endpoints on unpatched devices.

Organizations discovering compromise evidence must assume complete device compromise. All firewall credentials require immediate reset, including admin accounts and all privileged user accounts.

Exported configuration files must be treated as compromised, with particular attention to passwords appearing in configurations in hashed form.

Enterprise Network Appliance Targeting Context

FortiGate SSO vulnerabilities represent the latest threat actor campaign targeting enterprise network appliances. Arctic Wolf tracks repeated campaigns targeting Fortinet devices and competing manufacturer security appliances.

Attackers leverage search engines and network scanning tools to identify vulnerable internet-facing devices.

Compromised perimeter security devices provide attackers with critical advantages. Compromised firewalls grant visibility into all network traffic flowing through devices, exposing sensitive communications.

Attackers modify security policies to allow malicious traffic while blocking defensive measures. They establish persistent access surviving conventional security monitoring efforts, demonstrating the strategic value of firewall compromise.

Enterprise Security Implications

FortiGate SSO vulnerabilities exploitation carries significant enterprise security implications. Fortinet’s rapid disclosure and patch availability demonstrate appropriate vendor response to critical vulnerabilities.

Detailed security advisories and clear upgrade paths provide organizations with actionable protection information. The security research community’s swift exploitation identification and indicator publication enables proactive defense.

Automatic FortiCloud SSO enablement during device registration represents problematic default configuration prioritizing convenience over security. Many organizations remain unaware this functionality activates automatically unless explicitly disabled, creating dangerous security gaps.

Widespread Fortinet product deployment means attack surfaces encompass thousands of organizations globally, many lacking resources or expertise for rapid patch deployment.

The vulnerability disclosure highlights concerning authentication bypass attack trends. Complete authentication circumvention through malicious SAML messages indicates fundamental weaknesses in single sign-on implementations validating assertions.

Similar authentication vulnerabilities have affected other enterprise systems, suggesting this attack vector requires greater vendor and researcher attention.

Attack sophistication demonstrates threat actor substantial technical capabilities and detailed Fortinet authentication architecture knowledge.

Precision required for effective SAML bypass message crafting indicates direct vulnerability knowledge through independent discovery or potential information access from other sources. This sophistication level raises stakes for organizations defending against these threats.

Conclusion

FortiGate SSO vulnerabilities active exploitation demands immediate attention from organizations operating affected Fortinet devices.

Critical authentication bypass flaws enable threat actors to gain administrative control over network security infrastructure, potentially compromising entire networks. Patch availability across affected product lines provides clear remediation paths that organizations must prioritize.

Beyond immediate patching, incidents underscore secure network architecture principles. Management interfaces must never face direct internet exposure regardless of authentication mechanisms.

Default configurations require careful review, particularly features enabling remote access or authentication. Regular security audits should verify convenience features like FortiCloud SSO remain disabled unless explicitly required.

The cybersecurity landscape continues evolving, with threat actors demonstrating increasing sophistication targeting enterprise infrastructure. Organizations must adopt proactive security postures assuming compromise and implementing defense-in-depth strategies.

Regular patching, network segmentation, credential management, and continuous monitoring form effective security program foundations capable of withstanding advanced threats.

Questions Worth Answering

How do I determine if my FortiGate device is vulnerable?

• Check device versions against affected versions. FortiOS 7.0.0 through 7.6.3, FortiProxy 7.0.0 through 7.6.3, FortiSwitchManager 7.0.0 through 7.2.6, and FortiWeb 7.4.0 through 8.0.0 are vulnerable. Verify whether FortiCloud SSO is enabled in System Settings.

What actions should I take if I discover suspicious SSO login entries?

• Reset all administrative credentials immediately. Disconnect devices from the internet if possible. Review and revoke configuration changes made during suspicious timeframes. Conduct thorough network security audits for lateral movement or data exfiltration signs.

Can FortiCloud SSO be used safely after patching?

• Once appropriate patches are applied (FortiOS 7.0.18+, 7.2.12+, 7.4.9+, or 7.6.4+ depending on branch), FortiCloud SSO can be safely re-enabled. Evaluate whether functionality is operationally necessary before re-enabling.

How rapidly are threat actors exploiting CVE-2025-59718 and CVE-2025-59719?

• Security researchers detected active exploitation immediately following public disclosure. Consistent attack patterns and specific IP address usage suggest coordinated campaigns began when vulnerabilities became publicly known, possibly earlier through private discovery.

Why are SAML-based authentication bypass attacks particularly dangerous?

• SAML bypass attacks completely circumvent authentication procedures. Rather than stealing or cracking passwords, attackers manipulate authentication protocols to convince systems they are authorized users, leaving minimal forensic evidence beyond successful login records.

Should FortiCloud SSO be permanently disabled?

• If organizations do not specifically require FortiCloud SSO functionality for operations, permanent disabling reduces attack surfaces. Apply the principle of least functionality by disabling non-essential security operation features.

What compensating controls exist if immediate patching is impossible?

• Disable FortiCloud SSO through System Settings or CLI commands immediately. Restrict management interface access to trusted internal networks only. Implement additional network-level access controls. Enhance monitoring for suspicious authentication attempts and configuration changes until patching is complete.

About Fortinet

Fortinet is a multinational cybersecurity corporation headquartered in Sunnyvale, California, specializing in network security solutions.

The company develops firewalls, endpoint protection, intrusion prevention systems, and unified threat management solutions. FortiGate firewalls represent one of the most widely deployed enterprise security appliance platforms globally.

Founded in 2000, Fortinet established itself as a leading network security market vendor, serving enterprises, service providers, and government organizations worldwide.

The company’s portfolio extends beyond hardware appliances to include cloud-based security services and security fabric architecture providing integrated protection across complex network environments.

Fortinet maintains an active Product Security Incident Response Team coordinating vulnerability disclosures, developing patches, and communicating security advisories to customers.

The company’s response to CVE-2025-59718 and CVE-2025-59719 vulnerabilities, including rapid patch development and clear communication, demonstrates commitment to addressing security issues affecting their extensive customer base.

About Arctic Wolf

Arctic Wolf is a cybersecurity company specializing in security operations and managed detection and response services. The company provides comprehensive security monitoring, threat detection, and incident response capabilities to organizations lacking internal security operations center resources.

Arctic Wolf’s platform combines technology, threat intelligence, and security expertise delivering continuous protection.

Based in Eden Prairie, Minnesota, Arctic Wolf established itself as a prominent managed security services market player. The company’s security researchers actively monitor threat landscapes, identify emerging attack patterns, and issue timely security bulletins protecting customers.

Their rapid FortiGate SSO vulnerabilities response exemplifies proactive threat intelligence approaches.

Arctic Wolf’s security operations center maintains continuous customer environment monitoring, providing detection capabilities that identified active Fortinet vulnerability exploitation.

The company’s emphasis on practical security guidance, including detailed compromise indicators and actionable mitigation steps, helps organizations effectively respond to emerging infrastructure threats.