An active intrusion is targeting critical authentication bypass vulnerabilities in Fortinet’s FortiGate appliances and related products.
Threat actors are exploiting CVE-2025-59718 and CVE-2025-59719 to perform unauthenticated single sign-on (SSO) logins via malicious SAML messages, granting attackers administrative access.
Fortinet disclosed the flaws in a PSIRT advisory on December 9, 2025. Arctic Wolf quickly followed with its own security bulletin, urging immediate patching.
The vulnerabilities affect multiple product lines, FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, when FortiCloud SSO is enabled.
FortiCloud SSO login remains disabled by default in factory settings. However, it activates automatically during device registration via FortiCare GUI unless administrators explicitly disable the “Allow administrative login using FortiCloud SSO” option. This common oversight exposes internet-facing devices to remote exploitation.
Once enabled, attackers craft SAML assertions to bypass authentication entirely. Arctic Wolf reports intrusions originating from a limited set of IP addresses assigned to providers such as The Constant Company LLC and Kaopu Cloud HK Limited. These actors primarily target the default “admin” account.
| IOC | Hosting Provider |
|---|---|
| 45.32.153[.]218 | The Constant Company LLC |
| 167.179.76[.]111 | The Constant Company LLC |
| 199.247.7[.]82 | The Constant Company LLC |
| 45.61.136[.]7 | Bl Networks |
| 38.54.88[.]203 | Kaopu Cloud HK Limited |
| 38.54.95[.]226 | Kaopu Cloud HK Limited |
| 38.60.212[.]97 | Kaopu Cloud HK Limited |
A sample log from a compromised FortiGate shows a successful SSO login:date=2025-12-12 time=REDACTED ... logid="0100032001" ... user="admin" ui="sso(199.247.7[.]82)" method="sso" srcip=199.247.7[.]82 ... action="login" status="success" ...
Post-login, attackers exported device configurations via GUI from the same IPs, as evidenced by:date=2025-12-12 time=REDACTED ... logid="0100032095" ... action="download" ... msg="System config file has been downloaded by user admin via GUI(199.247.7[.]82)"
Arctic Wolf’s managed detection and response (MDR) platform identifies these patterns and continues alerting affected customers.
Fortinet has released fixed versions across branches. Products like FortiOS 6.4, FortiWeb 7.0, and FortiWeb 7.2 remain unaffected.
| Product | Affected Versions | Fixed Version |
|---|---|---|
| FortiOS 7.6 | 7.6.0 – 7.6.3 | 7.6.4+ |
| FortiOS 7.4 | 7.4.0 – 7.4.8 | 7.4.9+ |
| FortiOS 7.2 | 7.2.0 – 7.2.11 | 7.2.12+ |
| FortiOS 7.0 | 7.0.0 – 7.0.17 | 7.0.18+ |
| FortiProxy 7.6 | 7.6.0 – 7.6.3 | 7.6.4+ |
| FortiProxy 7.4 | 7.4.0 – 7.4.10 | 7.4.11+ |
| FortiProxy 7.2 | 7.2.0 – 7.2.14 | 7.2.15+ |
| FortiProxy 7.0 | 7.0.0 – 7.0.21 | 7.0.22+ |
| FortiSwitchManager 7.2 | 7.2.0 – 7.2.6 | 7.2.7+ |
| FortiSwitchManager 7.0 | 7.0.0 – 7.0.5 | 7.0.6+ |
| FortiWeb 8.0 | 8.0.0 | 8.0.1+ |
| FortiWeb 7.6 | 7.6.0 – 7.6.4 | 7.6.5+ |
| FortiWeb 7.4 | 7.4.0 – 7.4.9 | 7.4.10+ |
If malicious logs appear, reset all firewall credentials immediately. Even hashed passwords in exported configs remain vulnerable to offline dictionary attacks on weak secrets.
Restrict management interfaces to trusted internal networks only. Arctic Wolf has tracked repeated campaigns hitting Fortinet and similar appliances, often via exposed search engines.
As a temporary workaround, disable FortiCloud SSO: Navigate to System > Settings and toggle “Allow administrative login using FortiCloud SSO” to Off, or run CLI:
textconfig system global
set admin-forticloud-sso-login disable
end
Organizations should prioritize upgrades amid rising firewall targeting. Arctic Wolf emphasizes vigilance, with ongoing detections in place.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
