Attackers are exploiting a recently revealed vulnerability (CVE-2025-59718) to bypass authentication on Fortinet’s FortiGate firewalls, and are leveraging the achieved access to export their system configuration files, Arctic Wolf researchers warned on Tuesday.
Configuration files can expose information about the underlying network and infrastructure, firewall and security policies, encrypted/hashed passwords, and more. Some of this data can come in handy for executing successfuly attacks at a later date.
CVE-2025-59718 and CVE-2025-59719
Fortinet discovered CVE-2025-59718 and CVE-2025-59719 internally and patched them earlier this year.
Both flaws stem from improper verification of cryptographic signatures. They can be exploited by sending a specially crafted SAML response message to a vulnerable device, which effectively “tells” it that the user initiating the request should be granted access.
CVE-2025-59718 affects FortiOS (running on FortiGate firewalls), FortiProxy (running on FortiProxy secure web gateways), and FortiSwitchManager (running on appliances that are used to centrally manage FortiSwitch Ethernet switches).
CVE-2025-59719 affects FortiWeb, Fortinet’s web application firewall.
The company revealed the vulnerabilities’ existence on December 9, 2025, and urged customers to upgrade to a fixed version or “turn off the FortiCloud login feature (if enabled) temporarily until upgrading to a non-affected version.”
Fortinet noted that the FortiCloud SSO login feature is not enabled in default factory settings, but gets switched on if an administrator uses the device’s GUI to register the device to FortiCare – Fortinet’s customer support and maintenance service – but doesn’t disable the “Allow administrative login using FortiCloud SSO” option in the registration page.
Action required
Arctic Wolf says that it started observing intrusions involving malicious SSO logins on FortiGate appliances on December 12.
The SAML response messages were sent from various IP addresses tied to several hosting providers.
“Malicious logins were typically against the admin account,” the company noted. “Following malicious SSO logins, configurations were exported to the same IP addresses via the GUI interface. ”
Organizations using FortiGate firewalls that have yet to upgrade to a non-vulnerable version and are using the FortiCloud SSO login feature should check their logs for suspicious logins and known indicators of compromise.
“If you observe malicious activity similar to the malicious logs described in this security bulletin, assume that hashed firewall credentials stored in the exfiltrated configurations have been compromised, and reset those credentials as soon as possible,” Arctic Wolf researchers advised.
They also urged admins in charge of their organization’s network appliances to limit access to management interfaces of firewall and VPN appliances to trusted internal users.
CISA has added CVE-2025-59718 to its Known Exploited Vulnerabilities catalog and requires US federal civilian agencies to remediate the flaw by December 23, 2025.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
