Critical Fortinet FortiGate Auth Bypass Under Active Exploitation
Two critical CVSS 9.8 vulnerabilities in FortiGate devices are being actively exploited just days after patch release. Attackers targeting SSO authentication.
Threat actors are actively exploiting two critical authentication bypass vulnerabilities in Fortinet FortiGate devices, with attacks observed just three days after patches were released. Organizations using FortiCloud SSO should treat this as an emergency patching priority.
Vulnerability Overview
CVE IDs: CVE-2025-59718, CVE-2025-59719 CVSS Score: 9.8 (Critical) Affected Products: FortiOS, FortiProxy, FortiSwitchManager, FortiWeb Patch Released: December 9, 2025 Active Exploitation Began: December 12, 2025
Both vulnerabilities stem from improper verification of cryptographic signatures in the FortiCloud SSO login flow. An unauthenticated attacker can send a crafted SAML response to bypass authentication entirely and gain administrative access to affected devices. This isn't an isolated issue—our pattern analysis of network appliance auth bypasses shows a recurring architectural weakness across vendors.
Attack Timeline and Observations
According to Arctic Wolf, researchers observed malicious SSO logins targeting FortiGate devices starting December 12, 2025—just three days after Fortinet published its security advisory.
The attacks follow a consistent pattern:
- Initial Access: Attackers perform malicious SSO logins, primarily targeting the "admin" account
- Configuration Exfiltration: After successful authentication, attackers use the FortiGate GUI to download device configuration files
- Credential Harvesting: Exported configurations contain hashed passwords vulnerable to offline cracking
Attack traffic has been traced to IP addresses associated with hosting providers including The Constant Company LLC, BL Networks, and Kaopu Cloud HK Limited.
Who Is Vulnerable?
The critical detail many administrators may miss: FortiCloud SSO is automatically enabled when registering a device to FortiCare unless explicitly disabled during registration.
From Fortinet's advisory: "When an administrator registers the device to FortiCare from the device's GUI, unless the administrator disables the toggle switch 'Allow administrative login using FortiCloud SSO' in the registration page, FortiCloud SSO login is enabled upon registration."
This means organizations that registered devices through the GUI without paying close attention to this setting are likely vulnerable.
Unaffected Versions
- FortiOS 6.4
- FortiWeb 7.0
- FortiWeb 7.2
Patched Versions
Organizations must upgrade to the following versions:
| Product | Fixed Versions |
|---|---|
| FortiOS | 7.6.4, 7.4.9, 7.2.12, 7.0.18 |
| FortiProxy | 7.6.4, 7.4.11, 7.2.15, 7.0.22 |
| FortiSwitchManager | 7.2.7, 7.0.6 |
Immediate Mitigation Steps
If patching cannot be completed immediately:
- Disable FortiCloud SSO on all affected devices where it is enabled
- Restrict management interface access to trusted internal networks or VPN only—no direct internet exposure
- Review authentication logs for signs of unauthorized SSO logins
- Reset all firewall credentials if any indicators of compromise are identified
Even hashed passwords in exported configurations remain vulnerable to offline dictionary attacks, so credential rotation is essential if compromise is suspected.
Detection Guidance
Security teams should monitor for:
- Unexpected SSO authentication events, particularly for the "admin" account
- Configuration export operations from unfamiliar IP addresses
- Management interface access from hosting provider IP ranges
- Multiple failed authentication attempts followed by successful SSO login
The Bigger Picture
This incident highlights a recurring pattern in the security industry: threat actors are weaponizing vulnerabilities faster than ever. A three-day window between patch release and active exploitation leaves minimal time for organizations to respond.
The automatic enablement of FortiCloud SSO during device registration also serves as a reminder to security teams: default configurations should always be reviewed and hardened, especially for internet-facing security appliances. FortiCloud SSO wasn't spared either—a zero-day in FortiCloud's SSO mechanism (CVE-2026-24858) added to the company's mounting zero-day tally.
Resources
Organizations running Fortinet products should prioritize patching and conduct thorough log reviews for signs of compromise.
Related Articles
Fortinet FortiCloud SSO Zero-Day Exploited to Hijack Firewalls
CVE-2026-24858 allows attackers with FortiCloud accounts to log into other organizations' FortiGate devices. Patches rolling out now.
Jan 28, 2026FortiGate Patch Fails: Attackers Still Exploiting SSO Bypass
Arctic Wolf reports automated attacks creating rogue admin accounts on supposedly patched FortiGate devices. Fortinet acknowledges incomplete fix.
Jan 23, 2026Fortinet Patches Critical SQLi-to-RCE Flaw in FortiClientEMS
CVE-2026-21643 allows unauthenticated attackers to chain SQL injection with command execution in FortiClient EMS. CVSS 9.8 affects version 7.4.4—upgrade to 7.4.5 immediately.
Feb 12, 2026SolarWinds Web Help Desk Gets Emergency Patches for Four Critical Flaws
Deserialization bugs and authentication bypasses enable unauthenticated RCE. Attackers have targeted WHD vulnerabilities before.
Jan 30, 2026