Fortinet FortiGate devices are currently under active cyberattacks, with threat actors exploiting newly disclosed critical vulnerabilities related to SAML Single Sign-On (SSO) authentication. Security researchers have confirmed that attackers started abusing these flaws within days of public disclosure, highlighting once again how quickly cybercriminals weaponize new vulnerabilities.
According to cybersecurity firm Arctic Wolf, malicious activity targeting FortiGate appliances was detected as early as December 12, 2025. The attacks leverage two severe authentication bypass vulnerabilities tracked as CVE-2025-59718 and CVE-2025-59719, both rated with a CVSS score of 9.8, placing them in the critical severity category.
The two vulnerabilities allow unauthenticated attackers to bypass SSO authentication by sending specially crafted SAML messages. If successful, the attacker can gain administrative access without valid credentials.
Arctic Wolf explained that these flaws specifically affect systems where the FortiCloud SSO feature is enabled. When exploited, attackers can log in directly to the firewall management interface as an administrator, bypassing normal security controls entirely.
Fortinet has already released security patches for affected products, including:
FortiOS
FortiWeb
FortiProxy
FortiSwitchManager
Organizations running vulnerable versions are strongly urged to apply these updates immediately.
One important detail raising concern is that FortiCloud SSO is disabled by default, but it can become enabled automatically during FortiCare registration. If administrators do not manually turn off the option called “Allow administrative login using FortiCloud SSO”, the device may remain exposed.
This means many organizations may be vulnerable without realizing it, especially if FortiGate appliances were registered quickly during deployment without reviewing advanced authentication settings.
Arctic Wolf observed attackers using malicious SSO logins to access FortiGate devices. The attacks mainly targeted the default “admin” account, which remains a high-value target in enterprise environments.
The malicious login attempts originated from IP addresses associated with a small number of hosting providers, including:
The Constant Company LLC
BL Networks
Kaopu Cloud HK Limited
After gaining access, attackers were seen exporting full device configurations through the FortiGate graphical interface (GUI). These configuration files were then exfiltrated to the same attacker-controlled IP addresses.
Although Fortinet stores credentials in a hashed format, this does not fully protect organizations. Threat actors often attempt to crack password hashes offline, especially when weak or common passwords are used.
Once attackers obtain firewall configurations, they can gain deep insight into:
Network architecture
VPN settings
Internal IP ranges
Security rules
Administrative accounts
This information can be used for future attacks, lateral movement, or resale on underground forums.
The fact that these vulnerabilities are being actively exploited in the wild makes them especially dangerous. Many threat actors scan the internet continuously for exposed FortiGate devices, allowing them to compromise systems within hours of a vulnerability becoming public.
This campaign shows a familiar pattern seen in previous Fortinet attacks, where unpatched appliances become entry points for broader network compromise.
In response to the ongoing attacks, security teams should act immediately. Arctic Wolf and other security experts recommend the following steps:
Apply Fortinet patches immediately
Update all affected FortiGate, FortiWeb, FortiProxy, and FortiSwitchManager devices to the latest versions provided by Fortinet.Disable FortiCloud SSO temporarily
Until patches are fully applied, disable FortiCloud SSO to reduce exposure.Restrict management interface access
Limit firewall and VPN management access to trusted internal IP addresses only. Avoid exposing admin interfaces to the internet.Monitor logs for suspicious SSO activity
Look for unusual login events, especially SAML-based logins to the “admin” account.Assume compromise if IoCs are found
Organizations that detect indicators of compromise should assume the device has been breached.Reset all administrative credentials
Reset passwords for all firewall administrators, especially if configuration files may have been stolen.
Fortinet customers should treat this situation as high priority. Even organizations that believe they are not using SSO should verify FortiCloud SSO settings immediately. Misconfigurations and default registration settings often create hidden security gaps.
Security teams should also review historical logs from early December 2025 to identify any unauthorized access attempts or configuration exports.
This Fortinet FortiGate SAML SSO authentication bypass campaign is a strong reminder that identity and access controls remain a prime attack surface. When authentication mechanisms fail, attackers can bypass even the strongest perimeter defenses.
Organizations that rely on Fortinet products must act quickly by patching systems, disabling unnecessary features, and strengthening administrative access controls. Delays in response could lead to full network compromise, data exposure, and long-term operational risk.
Interesting Article : Apple Fixes Actively Exploited WebKit Zero-Day Flaws Across iOS and macOS
Pingback: Cisco AsyncOS Zero-Day CVE-2025-20393 Exploited in Email Security Appliances