Executive Summary

Fortinet has issued a critical warning confirming the active exploitation of an authentication bypass vulnerability in its FortiCloud Single Sign-On (SSO) feature. The vulnerabilities, tracked as CVE-2025-59718 and CVE-2025-59719, allow attackers to gain unauthorized administrative access to FortiGate firewalls. Alarmingly, the attacks have been observed on fully patched devices, suggesting a logic flaw or a zero-day exploit chain. Attackers are leveraging the bypass to create rogue administrative accounts, enable remote access VPNs, and exfiltrate device configurations, posing a severe risk to affected organizations.

Vulnerability Details

• CVE IDs: CVE-2025-59718, CVE-2025-59719
• Product: FortiGate firewalls using FortiCloud Single Sign-On (SSO).
• Vulnerability Type: Authentication Bypass.
• Attack Vector: The vulnerability is exploited by sending a specially crafted SAML (Security Assertion Markup Language) message to the device. This appears to trick the SSO mechanism into granting administrative access without valid credentials.

Exploitation Status

Fortinet has confirmed active in-the-wild exploitation. The fact that attackers are targeting even fully patched systems suggests a sophisticated threat actor is involved. The post-exploitation activity indicates a clear goal: establish long-term persistence and gain deep insight into the victim's network architecture.

Post-Exploitation TTPs:

1. Create Persistent Accounts: Attackers create new, high-privileged administrative accounts on the FortiGate device (T1136.001 - Local Account).
2. Enable VPN Access: They configure or enable VPN access for these rogue accounts, providing them with persistent remote access to the network (T1133 - External Remote Services).
3. Exfiltrate Configuration: The attackers download the firewall's full configuration. This file contains a wealth of information, including network topology, firewall rules, credentials, and IPsec keys, which can be used to plan further attacks.

Impact Assessment

This is a critical-level threat. A compromised perimeter firewall is one of the worst-case security scenarios.

• Total Network Compromise: With administrative access to the firewall, an attacker has 'keys to the kingdom.' They can disable security policies, redirect traffic, and create pathways to attack any system on the internal network.
• Persistent Access: The creation of rogue admin accounts allows the attacker to maintain access even if the initial vulnerability is patched.
• Intelligence Gathering: The exfiltrated configuration file provides a complete blueprint of the victim's network security posture, enabling highly targeted and effective secondary attacks.
• Data Breaches: Attackers can manipulate firewall rules to exfiltrate large volumes of data from the internal network.

Cyber Observables for Detection

Administrators must proactively hunt for these indicators:

Detection & Response

1. Audit Administrative Accounts: Immediately review all local administrative accounts on your FortiGate firewalls. Investigate and disable any account that is not known and explicitly authorized.
2. Review VPN Configurations: Audit all remote access VPN configurations, especially SSL-VPN and IPsec. Check for recently added user groups or policies.
3. Analyze Logs: Scrutinize FortiGate logs for the observables listed above. Look for successful SAML logins that do not correlate with legitimate user activity. Pay close attention to logs from the time the vulnerability was announced. Reference D3FEND technique Authentication Event Thresholding.

Mitigation

Fortinet customers should take immediate action:

1. Follow Fortinet's Guidance: Monitor Fortinet's PSIRT advisories for official mitigation steps, which may include disabling FortiCloud SSO, applying new patches when available, or implementing specific firewall rules.
2. Restrict Access: Restrict access to the FortiGate management interface to a limited set of trusted IP addresses. This will not block the exploit itself but will reduce the attack surface.
3. Implement Multi-Factor Authentication (MFA): Enforce MFA for all administrative access to the FortiGate. While the vulnerability is an SSO bypass, having MFA as a policy can sometimes interfere with an attacker's post-exploitation toolkit. Reference D3FEND technique Multi-factor Authentication.
4. Configuration Backups: Regularly back up your FortiGate configuration so you can compare it against a known-good version to spot unauthorized changes.