Fortinet FortiGate Devices Under Active Exploitation via SAML SSO Bypass

Threat actors have begun actively exploiting two recently disclosed critical vulnerabilities affecting Fortinet FortiGate devices, just days after the flaws were made public.

Cybersecurity firm Arctic Wolf reported observing live intrusion attempts on December 12, 2025, involving unauthorized single sign-on (SSO) access to FortiGate appliances. The attacks abuse two authentication bypass vulnerabilities tracked as CVE-2025-59718 and CVE-2025-59719, both carrying a CVSS score of 9.8. Fortinet has already released patches addressing the issues across FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.

According to Arctic Wolf Labs, the flaws allow attackers to bypass SSO authentication by sending specially crafted SAML messages, provided the FortiCloud SSO feature is enabled on the affected device. While FortiCloud SSO is disabled by default, it is automatically turned on during FortiCare registration unless administrators manually disable the “Allow administrative login using FortiCloud SSO” option.

Observed attacks originated from IP addresses linked to a small group of hosting providers, including The Constant Company LLC, Bl Networks, and Kaopu Cloud HK Limited. These IPs were used to carry out malicious SSO logins targeting the “admin” account. After gaining access, attackers were seen exporting device configuration files through the graphical interface to the same external IP addresses.

Given the active exploitation, organizations are strongly advised to apply the available security updates immediately. Until systems are fully patched, recommended mitigations include disabling FortiCloud SSO and restricting access to firewall and VPN management interfaces to trusted internal users only.

Arctic Wolf also warned that although credentials stored in exported configurations are typically hashed, attackers may attempt offline password cracking, particularly if weak credentials are in use. Fortinet customers who identify indicators of compromise consistent with this activity should assume a breach and reset any affected firewall credentials.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news