Active Attacks Exploit Critical Fortinet SSO Bypass Flaws to Gain Admin Access
Threat Actors Actively Exploiting Critical Fortinet Authentication Bypass Vulnerabilities (CVE-2025-59718, CVE-2025-59719)
Related Entities
Organizations
Products & Tech
CVE Identifiers
Full Report
Executive Summary
Threat actors are actively exploiting two critical authentication bypass vulnerabilities, CVE-2025-59718 and CVE-2025-59719, affecting a range of Fortinet products. The flaws, both with a CVSS score of 9.1, allow a remote, unauthenticated attacker to gain administrative access by forging a SAML message to bypass FortiCloud single sign-on (SSO). Security firm Arctic Wolf confirmed observing malicious SSO logins targeting customer FortiGate appliances, primarily aimed at the default 'admin' account. The vulnerability is particularly dangerous because the FortiCloud SSO feature, while disabled by default, is automatically enabled during device registration via the GUI. Fortinet has released patches, and immediate action is required to prevent compromise.
Vulnerability Details
- CVE-2025-59718 & CVE-2025-59719: Improper Signature Verification for SAML Authentication
- CVSS Score: 9.1 (Critical)
- Attack Vector: Remote / Unauthenticated
The core of the vulnerability lies in an improper verification of the cryptographic signature on Security Assertion Markup Language (SAML) messages. When FortiCloud SSO is enabled for administrative logins, an attacker can craft a malicious SAML assertion and send it to the device. The vulnerable device fails to properly validate the signature, trusts the malicious assertion, and grants the attacker an administrative session. This effectively allows a complete bypass of the authentication mechanism.
Affected Systems
The vulnerabilities affect multiple Fortinet products when the FortiCloud SSO feature is enabled:
- FortiOS
- FortiWeb
- FortiProxy
- FortiSwitchManager
Critical Warning: The FortiCloud SSO feature (
forticloud-sso-login) is automatically enabled when an administrator registers the device with FortiCare through the web GUI. Many administrators may be unaware this feature is active, leaving their internet-facing devices exposed.
Exploitation Status
The vulnerabilities are being actively exploited in the wild. Arctic Wolf began observing malicious SSO logins on December 12, 2025, just three days after Fortinet's disclosure. The observed attacks have targeted the default 'admin' account and originated from IP addresses associated with hosting providers The Constant Company LLC and Kaopu Cloud HK Limited.
- MITRE ATT&CK Mapping:
T1190 - Exploit Public-Facing Application: The attacker targets the web-based management interface of the Fortinet appliance.T1606.002 - SAML Tokens: The core of the attack involves forging SAML tokens to impersonate a legitimate administrator.T1078.001 - Default Accounts: Attackers are specifically targeting the built-in 'admin' account.
Impact Assessment
A successful exploit grants the attacker full administrative access to the Fortinet appliance. This is a worst-case scenario, as these devices are often at the network perimeter. A compromised firewall or web application firewall allows an attacker to:
- Disable security policies and allow malicious traffic into the network.
- Create VPN tunnels to establish a persistent foothold.
- Monitor all network traffic passing through the device.
- Launch further attacks against the internal network.
- Deploy malware or ransomware.
Essentially, a compromise of the primary network security appliance renders all other perimeter defenses moot.
IOCs
Arctic Wolf has observed malicious login attempts from the following IP ranges:
| Type | Value | Description |
|---|---|---|
ip_address_v4 |
104.223.89.0/24 |
Associated with The Constant Company LLC |
ip_address_v4 |
103.189.172.0/24 |
Associated with Kaopu Cloud HK Limited |
Cyber Observables for Detection
| Type | Value | Description |
|---|---|---|
log_source |
FortiGate System Event Logs |
Look for successful administrative logins from unexpected IP addresses or geographic locations, especially with the message msg="Admin [admin] login successfully from [IP_ADDRESS] via FortiCloud SSO". |
command_line_pattern |
diagnose debug authd -1 |
On the FortiGate CLI, this command can be used to debug authentication attempts and may show details of a malicious SAML assertion. |
configuration_setting |
config system global -> set forticloud-sso-login |
Check if this setting is enabled. If it is, the device is potentially vulnerable if not patched. |
Detection & Response
- Review Logs: Immediately review system event logs on all Fortinet appliances for successful administrative logins via FortiCloud SSO from unknown or suspicious IP addresses. Pay close attention to logins for the 'admin' account.
- Threat Hunting: Hunt for any connections to or from the IOC IP addresses provided by Arctic Wolf. This aligns with D3FEND Network Traffic Analysis (D3-NTA).
- Assume Compromise: If any suspicious SSO login is found, assume the device is fully compromised. Trigger the incident response plan, isolate the device if possible, and prepare to reset it to factory defaults and restore from a clean backup after patching.
Mitigation
- Patch Immediately: Upgrade to a patched version of the relevant Fortinet software as soon as possible. This is the most effective mitigation and is a direct application of D3FEND Software Update (D3-SU).
- Disable FortiCloud SSO (Workaround): If patching is not immediately possible, disable the FortiCloud SSO feature. This can be done via the CLI with the following commands:
This removes the vulnerable attack surface. This is an example of D3FEND Application Configuration Hardening (D3-ACH).config system global set forticloud-sso-login disable end - Credential Reset: If any suspicious activity is detected, immediately reset the passwords for all administrative accounts on the device.
- Restrict Admin Access: As a general best practice, restrict administrative access to Fortinet devices to a trusted set of internal IP addresses or a dedicated management network.
Timeline of Events
MITRE ATT&CK Mitigations
Update Software
Applying the patches from Fortinet is the primary and most effective mitigation.
Disabling the FortiCloud SSO login feature serves as a direct workaround to remove the attack surface.
Restricting administrative access to the Fortinet device to a trusted management network reduces exposure to external attackers.
D3FEND Defensive Countermeasures
The definitive countermeasure for CVE-2025-59718 and CVE-2025-59719 is to immediately apply the security patches provided by Fortinet. Given that these are critical, unauthenticated bypass vulnerabilities under active exploitation, patching should be considered an emergency action. Organizations must use their asset inventory and patch management systems to identify all vulnerable Fortinet products (FortiOS, FortiWeb, etc.) and deploy the appropriate firmware updates. Prioritize internet-facing devices, as they are the most exposed. Failure to patch leaves a direct path for attackers to gain full administrative control of the network perimeter. After patching, verify the update was successful and that the device is running a fixed software version.
As an immediate workaround or a defense-in-depth measure, Application Configuration Hardening should be applied by disabling the vulnerable feature. Administrators must explicitly disable the FortiCloud SSO login feature if it is not essential for their operations. This can be done via the device's command-line interface. Since the feature can be enabled automatically during device registration, it's crucial to audit all Fortinet devices to confirm the status of the forticloud-sso-login setting. Disabling this feature entirely removes the vulnerable code path from being accessible to an attacker, providing a highly effective mitigation until a patch can be deployed. This action directly hardens the device's configuration to reduce its attack surface.
To detect potential exploitation of these vulnerabilities, organizations must implement rigorous Local Account Monitoring on their Fortinet devices. All administrative login events must be forwarded to a central SIEM for analysis. Create high-priority alerts for any successful login using the FortiCloud SSO method, especially for the default 'admin' account. Correlate these logins with geolocation data and IP reputation feeds to quickly identify suspicious activity, such as a login from an unexpected country or a known malicious IP address. The log message Admin [admin] login successfully... via FortiCloud SSO is a key indicator. By actively monitoring these specific events, security teams can rapidly detect a successful compromise and initiate their incident response process to contain the threat.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats