Hackers are exploiting critical Fortinet flaws days after patch release

Hackers are exploiting critical Fortinet flaws days after patch release

Pierluigi Paganini
December 16, 2025

Threat actors are exploiting two critical Fortinet flaws, tracked as CVE-2025-59718 and CVE-2025-59719, days after patch release, impacting multiple Fortinet products.

Threat actors started exploiting two critical flaws, tracked as CVE-2025-59718 and CVE-2025-59719 (CVSS score of 9.1), in Fortinet products days after patch release, Arctic Wolf warns.

Last week, Fortinet addressed 18 vulnerabilities, including the two flaws CVE-2025-59718 and CVE-2025-59719, affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager when FortiCloud SSO is enabled.

Both vulnerabilities are improper verification of cryptographic signature issues.

An improper signature-verification flaw in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager lets an unauthenticated attacker bypass FortiCloud SSO login using a crafted SAML message, if the feature is enabled. FortiCloud SSO is disabled by default, but it activates automatically during FortiCare registration unless the admin disables the “Allow administrative login using FortiCloud SSO” toggle.

“Please note that the FortiCloud SSO login feature is not enabled in default factory settings. However, when an administrator registers the device to FortiCare from the device’s GUI, unless the administrator disables the toggle switch “Allow administrative login using FortiCloud SSO” in the registration page, FortiCloud SSO login is enabled upon registration.” reads the advisory.

The vendor recommends disabling the FortiCloud login feature (if enabled) until upgrading to a non-affected version, as a temporary mitigation.

Below are the impacted versions:

The vulnerabilities were internally discovered and reported by Yonghui Han and Theo Leleu of Fortinet Product Security team.

Arctic Wolf researchers observed attackers began exploiting critical Fortinet authentication bypass flaws on December 12, just three days after patches were issued. The attacks involved malicious SSO logins on FortiGate devices, mainly targeting admin accounts from multiple hosting providers. After gaining access, the attackers exported device configurations via the GUI. These files include hashed credentials, which threat actors can attempt to crack offline, increasing the risk of further compromise.

“In December 12, 2025, Arctic Wolf began observing intrusions involving malicious SSO logins on FortiGate appliances. Fortinet had previously released an advisory for two critical authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) on December 9, 2025. Arctic Wolf had also sent out a security bulletin for the vulnerabilities shortly thereafter.” Arctic Wolf warns.

The experts reported that recent intrusions involved malicious SSO logins to FortiGate devices originating from a small set of hosting providers. Attackers primarily targeted the admin account, successfully authenticating via SSO from specific IP addresses. After gaining access, they used the FortiGate GUI to download device configuration files, exporting them to the same source IPs. Arctic Wolf reports having detection mechanisms in place to identify this activity and will continue monitoring and alerting customers about further suspected exploitation.

Administrators are urged to check for signs of compromise, reset credentials if needed, and restrict firewall management access to trusted networks. Fortinet has released patches across multiple FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb versions, and advises disabling FortiCloud SSO admin login to mitigate exploitation risks.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon