Key Takeaways
- Two newly disclosed security flaws in Fortinet FortiGate devices are being exploited by threat actors, less than a week after public disclosure.
- The flaws, CVE-2025-59718 and CVE-2025-59719, allow unauthenticated bypass of single sign-on (SSO) login authentication via crafted SAML messages.
- Patches for the flaws have been released by Fortinet, and organizations are advised to apply them as soon as possible.
- Mitigations include disabling FortiCloud SSO until instances are updated and limiting access to management interfaces of firewalls and VPNs to trusted internal users.
Introduction to the Vulnerabilities
The cybersecurity landscape is constantly evolving, with new threats and vulnerabilities emerging every day. Recently, two critical security flaws in Fortinet FortiGate devices were disclosed, and threat actors have already begun to exploit them. The vulnerabilities, identified as CVE-2025-59718 and CVE-2025-59719, allow unauthenticated bypass of single sign-on (SSO) login authentication via crafted SAML messages. This means that attackers can gain access to FortiGate appliances without requiring authentication, potentially leading to unauthorized access and data breaches.
Exploitation Activity
According to Arctic Wolf, a cybersecurity company, active intrusions involving malicious SSO logins on FortiGate appliances were observed on December 12, 2025. The attacks exploit the two newly disclosed vulnerabilities, which have CVSS scores of 9.8, indicating a high level of severity. The malicious activity involves IP addresses associated with a limited set of hosting providers, such as The Constant Company llc, Bl Networks, and Kaopu Cloud Hk Limited. These IP addresses are used to carry out malicious SSO logins against the "admin" account, and following the logins, the attackers export device configurations via the GUI to the same IP addresses.
Patches and Mitigations
Patches for the flaws were released by Fortinet last week for FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. Organizations are advised to apply these patches as soon as possible to prevent exploitation. In addition to applying patches, mitigations include disabling FortiCloud SSO until instances are updated to the latest version and limiting access to management interfaces of firewalls and VPNs to trusted internal users. It’s essential to note that while FortiCloud SSO is disabled by default, it is automatically enabled during FortiCare registration unless administrators explicitly turn it off using the "Allow administrative login using FortiCloud SSO" setting in the registration page.
Recommendations for Affected Organizations
Organizations that find indicators of compromise (IoCs) consistent with the campaign are recommended to assume compromise and reset hashed firewall credentials stored in the exfiltrated configurations. Although credentials are typically hashed in network appliance configurations, threat actors are known to crack hashes offline, especially if credentials are weak and susceptible to dictionary attacks. Therefore, it’s crucial for organizations to take immediate action to protect themselves from potential exploitation. By applying patches, disabling FortiCloud SSO, and limiting access to management interfaces, organizations can reduce the risk of unauthorized access and data breaches.
Conclusion and Future Outlook
The exploitation of the two newly disclosed security flaws in Fortinet FortiGate devices highlights the importance of keeping software up to date and applying patches as soon as possible. Organizations must remain vigilant and proactive in protecting themselves from potential threats and vulnerabilities. By staying informed about the latest security threats and taking prompt action to mitigate them, organizations can reduce the risk of data breaches and unauthorized access. As the cybersecurity landscape continues to evolve, it’s essential for organizations to prioritize security and take a proactive approach to protecting themselves from potential threats.
