Critical Fortinet FortiGate Auth Bypass Under Active Exploitation
Two critical CVSS 9.8 vulnerabilities in FortiGate devices are being actively exploited just days after patch release. Attackers targeting SSO authentication.
Threat actors are actively exploiting two critical authentication bypass vulnerabilities in Fortinet FortiGate devices, with attacks observed just three days after patches were released. Organizations using FortiCloud SSO should treat this as an emergency patching priority.
Vulnerability Overview
CVE IDs: CVE-2025-59718, CVE-2025-59719 CVSS Score: 9.8 (Critical) Affected Products: FortiOS, FortiProxy, FortiSwitchManager, FortiWeb Patch Released: December 9, 2025 Active Exploitation Began: December 12, 2025
Both vulnerabilities stem from improper verification of cryptographic signatures in the FortiCloud SSO login flow. An unauthenticated attacker can send a crafted SAML response to bypass authentication entirely and gain administrative access to affected devices.
Attack Timeline and Observations
According to Arctic Wolf, researchers observed malicious SSO logins targeting FortiGate devices starting December 12, 2025—just three days after Fortinet published its security advisory.
The attacks follow a consistent pattern:
- Initial Access: Attackers perform malicious SSO logins, primarily targeting the "admin" account
- Configuration Exfiltration: After successful authentication, attackers use the FortiGate GUI to download device configuration files
- Credential Harvesting: Exported configurations contain hashed passwords vulnerable to offline cracking
Attack traffic has been traced to IP addresses associated with hosting providers including The Constant Company LLC, BL Networks, and Kaopu Cloud HK Limited.
Who Is Vulnerable?
The critical detail many administrators may miss: FortiCloud SSO is automatically enabled when registering a device to FortiCare unless explicitly disabled during registration.
From Fortinet's advisory: "When an administrator registers the device to FortiCare from the device's GUI, unless the administrator disables the toggle switch 'Allow administrative login using FortiCloud SSO' in the registration page, FortiCloud SSO login is enabled upon registration."
This means organizations that registered devices through the GUI without paying close attention to this setting are likely vulnerable.
Unaffected Versions
- FortiOS 6.4
- FortiWeb 7.0
- FortiWeb 7.2
Patched Versions
Organizations must upgrade to the following versions:
| Product | Fixed Versions |
|---|---|
| FortiOS | 7.6.4, 7.4.9, 7.2.12, 7.0.18 |
| FortiProxy | 7.6.4, 7.4.11, 7.2.15, 7.0.22 |
| FortiSwitchManager | 7.2.7, 7.0.6 |
Immediate Mitigation Steps
If patching cannot be completed immediately:
- Disable FortiCloud SSO on all affected devices where it is enabled
- Restrict management interface access to trusted internal networks or VPN only—no direct internet exposure
- Review authentication logs for signs of unauthorized SSO logins
- Reset all firewall credentials if any indicators of compromise are identified
Even hashed passwords in exported configurations remain vulnerable to offline dictionary attacks, so credential rotation is essential if compromise is suspected.
Detection Guidance
Security teams should monitor for:
- Unexpected SSO authentication events, particularly for the "admin" account
- Configuration export operations from unfamiliar IP addresses
- Management interface access from hosting provider IP ranges
- Multiple failed authentication attempts followed by successful SSO login
The Bigger Picture
This incident highlights a recurring pattern in the security industry: threat actors are weaponizing vulnerabilities faster than ever. A three-day window between patch release and active exploitation leaves minimal time for organizations to respond.
The automatic enablement of FortiCloud SSO during device registration also serves as a reminder to security teams: default configurations should always be reviewed and hardened, especially for internet-facing security appliances.
Resources
Organizations running Fortinet products should prioritize patching and conduct thorough log reviews for signs of compromise.
Related Articles
Fortinet Warns 5-Year-Old FortiOS 2FA Bypass Is Under Active Attack
CVE-2020-12812 allows attackers to bypass two-factor authentication on FortiGate devices by simply changing username case. Fortinet issued fresh advisory on December 25.
Dec 25, 2025WatchGuard Firebox Zero-Day CVE-2025-14733 Actively Exploited, 125K Devices Exposed
Critical out-of-bounds write vulnerability in WatchGuard Firebox firewalls under active exploitation with over 125,000 devices exposed online.
Dec 23, 2025Cisco Snort 3 Flaws Enable DoS and Data Leaks
CVE-2026-20026 and CVE-2026-20027 allow remote attackers to crash Snort or extract sensitive data. No workarounds exist—patches are the only fix.
Jan 10, 2026Coolify Command Injection Flaws Grant Root Access
Five critical vulnerabilities in the self-hosting platform allow authenticated users to execute arbitrary commands as root. Over 52,000 instances are exposed globally.
Jan 10, 2026