Fortinet’s FortiGate appliances face immediate threat from two critical authentication bypass vulnerabilities being actively exploited in production environments.
Fortinet released advisories for CVE-2025-59718 and CVE-2025-59719 on December 9, 2025, identifying critical flaws in FortiCloud SSO authentication mechanisms.
These vulnerabilities enable unauthenticated attackers to bypass SSO login protections through crafted SAML messages when FortiCloud SSO is enabled on affected appliances.
Starting December 12, 2025, Arctic Wolf detected coordinated intrusions leveraging malicious Single Sign-On (SSO) logins against FortiGate devices worldwide.
Vulnerability Overview
| CVE ID | CVSS Score | Severity | Attack Vector | Authentication Required |
|---|---|---|---|---|
| CVE-2025-59718 | 9.8 | Critical | Network/Unauthenticated | No |
| CVE-2025-59719 | 9.8 | Critical | Network/Unauthenticated | No |
Multiple Fortinet product lines remain vulnerable, including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.
While FortiCloud SSO is disabled by default in factory settings, administrators registering devices through FortiCare via the GUI automatically enable SSO unless explicitly disabled during registration.
Threat actors are exploiting these vulnerabilities from infrastructure provided by multiple hosting providers.
Malicious SSO logins predominantly target admin accounts from seven identified IP addresses.
Following successful authentication, attackers systematically export device configurations through the GUI interface, likely seeking credential hashes and network architecture details.
Affected Products and Patches
| Product | Vulnerable Versions | Patched Version |
|---|---|---|
| FortiOS 7.6 | 7.6.0–7.6.3 | 7.6.4+ |
| FortiOS 7.4 | 7.4.0–7.4.8 | 7.4.9+ |
| FortiOS 7.2 | 7.2.0–7.2.11 | 7.2.12+ |
| FortiOS 7.0 | 7.0.0–7.0.17 | 7.0.18+ |
| FortiProxy 7.6 | 7.6.0–7.6.3 | 7.6.4+ |
| FortiProxy 7.4 | 7.4.0–7.4.10 | 7.4.11+ |
| FortiWeb 8.0 | 8.0.0 | 8.0.1+ |
FortiOS 6.4, FortiWeb 7.0, and FortiWeb 7.2 remain unaffected by these vulnerabilities.
Organizations must prioritize three critical remediation steps. First, upgrade all affected Fortinet products to patched versions immediately.
Second, if exploitation is suspected, reset all firewall administrator credentials since attackers may have obtained hashed credentials from exported configurations.
Third, restrict management interface access to trusted internal networks only, eliminating exposure to internet-facing exploitation attempts.
As temporary mitigation, disable the FortiCloud SSO feature through System Settings or CLI commands until patching is complete.
Organizations should monitor for suspicious administrative logins originating from unknown IP addresses and configure alerts for configuration exports via GUI interfaces.
The combination of zero-touch exploitation, automatic admin account targeting, and direct configuration access makes this campaign exceptionally dangerous. Immediate action is essential to prevent network compromise.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.