Fortinet Authentication Bug Sparks Rapid Exploitation

Fortinet Authentication Bug Sparks Rapid Exploitation

Threat actors are actively exploiting two critical Fortinet vulnerabilities, CVE-2025-59718 and CVE-2025-59719, that enable unauthenticated bypass of FortiCloud SSO authentication through crafted SAML responses. The Fortinet authentication bypass vulnerabilities were first observed on December 9, 2025, affecting FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb products. Exploitation of these Fortinet SSO vulnerabilities began within days of disclosure, targeting FortiGate appliances and related Fortinet products where FortiCloud SSO was unintentionally enabled during FortiCare registration. Attackers exploiting the Fortinet authentication bug gain administrative access to Fortinet devices, exfiltrate device configurations, and potentially compromise hashed credentials through offline cracking attacks. Organizations using affected Fortinet products should immediately patch affected systems, disable FortiCloud SSO login, and restrict administrative access to Fortinet management interfaces to mitigate ongoing exploitation risk.
Vulnerability Details
Critical Fortinet SSO Authentication Bypass Vulnerabilities
Threat actors rapidly weaponized two newly disclosed Fortinet vulnerabilities, exploiting the Fortinet authentication bug less than a day after public disclosure of CVE-2025-59718 and CVE-2025-59719. These critical Fortinet SSO vulnerabilities enable unauthenticated remote attackers to bypass FortiCloud Single Sign-On authentication by submitting crafted SAML response messages to vulnerable Fortinet products.
The root cause of the Fortinet authentication bypass is improper verification of cryptographic signatures within the FortiCloud SSO login mechanism. Affected Fortinet products span multiple enterprise platforms, including FortiOS versions before 7.0.18, 7.2.12, 7.4.9, and 7.6.4, FortiProxy versions before 7.0.22, 7.2.15, 7.4.11, and 7.6.4, FortiSwitchManager versions before 7.0.6 and 7.2.7, and FortiWeb versions before 7.4.10, 7.6.5, and 8.0.1.
Although FortiCloud SSO is disabled by default on Fortinet devices, the Fortinet vulnerability risk emerges during device registration with FortiCare. When administrators enroll Fortinet devices through the graphical interface, FortiCloud SSO is automatically enabled unless the “Allow administrative login using FortiCloud SSO” option is explicitly disabled during FortiCare registration. This silent enablement of Fortinet SSO creates an unexpected exposure surface for authentication bypass attacks.
Active exploitation of the Fortinet authentication bug was confirmed beginning December 12, 2025, just three days after vulnerability disclosure. Observed attacks exploiting CVE-2025-59718 and CVE-2025-59719 focused on abusing SSO authentication to gain unauthorized access to FortiGate appliances, typically targeting the “admin” account. Following successful Fortinet authentication bypass, attackers exfiltrated full device configurations from compromised Fortinet systems. While stored credentials in Fortinet configurations are hashed, offline password cracking remains feasible, particularly against weak or reused passwords. Organizations observing malicious activity related to these Fortinet vulnerabilities should treat all extracted credentials as compromised and reset them immediately.
Given Fortinet’s long-standing attractiveness as an initial access vector for threat actors, continued exploitation of the Fortinet SSO vulnerabilities is expected. Organizations running affected Fortinet product versions should apply security patches without delay. Until Fortinet patch remediation is complete, FortiCloud SSO login should be disabled on all Fortinet devices, and administrative access to Fortinet firewall and VPN management interfaces should be strictly restricted to trusted internal networks.
Recommendations
Immediate Actions to Mitigate Fortinet Authentication Bypass Risk
Disable FortiCloud SSO Immediately: FortiCloud SSO is disabled by default on Fortinet devices but may be unintentionally enabled during FortiCare registration. Organizations should disable the “Allow administrative login using FortiCloud SSO” setting on all vulnerable Fortinet devices until upgrades are completed. Use the Fortinet GUI or CLI to ensure the FortiCloud SSO feature is fully disabled across all affected FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb products.
Apply Security Patches Without Delay: Upgrade affected Fortinet products to non-affected versions as soon as Fortinet security patches are available. Do not re-enable FortiCloud SSO on Fortinet devices until systems are confirmed to be running a fixed release. Prioritize patching internet-facing FortiGate appliances and related Fortinet products to eliminate the authentication bypass vulnerability.
Monitor for Indicators of Compromise: Review Fortinet system logs for successful SSO-based admin logins from unfamiliar external IP addresses. Watch for Fortinet configuration exports performed through the GUI shortly after authentication events. Treat any unexplained administrative activity on Fortinet devices as potentially malicious exploitation of the authentication bug.
Restrict Management Interface Exposure: Limit Fortinet firewall and VPN management access to trusted internal networks only. Remove direct internet access to Fortinet administrative interfaces wherever possible. Enforce network segmentation to reduce blast radius in the event of Fortinet device compromise through authentication bypass.
Harden Administrative Access Controls: Enforce strong password policies on Fortinet devices and minimize the use of shared administrative accounts. Regularly audit administrative privileges on Fortinet systems and remove unnecessary access. Treat Fortinet firewall and VPN appliances as high-value assets requiring elevated protection against authentication bypass attacks.
Indicators of Compromise (IoCs)
Fortinet Authentication Bug Exploitation Indicators
IPv4 Addresses Associated with Fortinet SSO Exploitation:

45.32.153.218
167.179.76.111
199.247.7.82
45.61.136.7
38.54.88.203
38.54.95.226
38.60.212.97

MITRE ATT&CK TTPs
Fortinet Vulnerability Exploitation Tactics and Techniques
Initial Access:

T1190: Exploit Public-Facing Application – Exploitation of Fortinet authentication bypass vulnerabilities
T1133: External Remote Services – Abuse of FortiCloud SSO authentication mechanism

Execution:

Valid account usage through compromised Fortinet admin credentials

Persistence:

T1078: Valid Accounts – Maintaining access through compromised Fortinet administrative accounts

Defense Evasion:

T1562: Impair Defenses – Disabling Fortinet security controls
T1562.001: Disable or Modify Tools – Modifying Fortinet security configurations
T1556: Modify Authentication Process – Exploiting FortiCloud SSO authentication bypass

Collection:

T1530: Data from Cloud Storage – Exfiltration of Fortinet device configurations
T1005: Data from Local System – Extraction of credentials and configuration data from Fortinet systems

Command and Control:

T1071: Application Layer Protocol – Communication with compromised Fortinet devices
T1071.001: Web Protocols – Using web-based protocols for Fortinet device access

References
Fortinet Vulnerability Information Sources

Fortinet Security Advisory: https://www.fortiguard.com/psirt/FG-IR-25-647
Arctic Wolf Malicious SSO Login Observations: https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-sso-logins-following-disclosure-cve-2025-59718-cve-2025-59719/
Arctic Wolf CVE Analysis: https://arcticwolf.com/resources/blog/cve-2025-59718-and-cve-2025-59719/
Fortinet Upgrade Tool: https://docs.fortinet.com/upgrade-tool
HivePro Threat Advisory: https://hivepro.com/threat-advisory/fortiweb-flaw-exploited-in-the-wild-patch-immediately/