Fortinet SAML Bypass Exploited; Patch FortiGate Now

Fortinet SAML Bypass Exploited; Patch FortiGate Now
December 16, 2025 at 12:00 AM

Attackers are actively exploiting two newly disclosed SAML SSO authentication bypass flaws in Fortinet gear, putting unpatched FortiGate and related products at immediate risk.

What’s happening

  • On December 12, 2025, Arctic Wolf observed malicious SSO logins on FortiGate appliances exploiting CVE-2025-59718 and CVE-2025-59719 (CVSS 9.8).
  • Fortinet released fixes last week for FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.

How the attacks work

  • The bugs enable an unauthenticated bypass of SSO via crafted SAML messages when FortiCloud SSO is enabled.
  • FortiCloud SSO is off by default but is automatically turned on during FortiCare registration unless admins explicitly disable it using the "Allow administrative login using FortiCloud SSO" setting.

Observed attacker behavior

  • Adversaries are logging in via SSO to the "admin" account.
  • Activity is coming from IPs tied to a small set of hosting providers, including The Constant Company LLC, BL Networks, and Kaopu Cloud HK Limited.
  • After successful logins, attackers export device configurations through the GUI to the same IP addresses.

Scope and attribution

  • Arctic Wolf says the campaign appears early-stage and opportunistic, with a relatively small portion of observed networks impacted.
  • No actor attribution has been made at this time.

Immediate actions to take

  • Patch now: Update FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager to the latest versions.
  • Temporarily disable FortiCloud SSO until all instances are fully updated.
  • Restrict management interface access for firewalls and VPNs to trusted internal users and networks.
  • Hunt for indicators: Review logs for suspicious SSO logins to "admin" and configuration exports; check for connections from the hosting providers listed above.
  • Assume compromise if IoCs are present: Reset any hashed firewall credentials contained in exfiltrated configs. Even though credentials are hashed, weak passwords can be cracked offline via dictionary attacks.

CISA update

  • On December 16, 2025, CISA added CVE-2025-59718 to its Known Exploited Vulnerabilities catalog, requiring FCEB agencies to apply fixes by December 23, 2025.

Source: The Hacker News

Back…