top of page
perceptive_background_267k.jpg

Fortinet FortiGate Under Active Attack Through SAML SSO Authentication Bypass

Published:

16 December 2025 at 10:58:00

Alert date:

16 December 2025 at 12:01:44

Source:

thehackernews.com

Click to open the original link from this advisory

Network Infrastructure, Identity & Access, Zero-Day Vulnerabilities

Threat actors are actively exploiting two critical authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) in Fortinet FortiGate devices, less than a week after public disclosure. Arctic Wolf observed malicious SSO logins on FortiGate appliances on December 12, 2025. The attacks target SAML SSO authentication mechanisms, allowing unauthorized access to enterprise networks. This represents an immediate threat to organizations using affected FortiGate devices for network security and access control.

Technical details

Two critical authentication bypass vulnerabilities in Fortinet FortiGate devices allow unauthenticated bypass of SSO login authentication via crafted SAML messages when FortiCloud SSO feature is enabled. The vulnerabilities have CVSS scores of 9.8. While FortiCloud SSO is disabled by default, it is automatically enabled during FortiCare registration unless administrators explicitly disable it. Attackers are performing malicious SSO logins against admin accounts and exporting device configurations via GUI to extract potentially sensitive information including hashed credentials.

Mitigation steps:

Apply patches immediately, disable FortiCloud SSO until instances are updated to latest version, limit access to management interfaces of firewalls and VPNs to trusted internal users only, reset hashed firewall credentials stored in potentially exfiltrated configurations if indicators of compromise are found, assume compromise if IoCs consistent with the campaign are discovered

Affected products:

Fortinet FortiOS
Fortinet FortiWeb
Fortinet FortiProxy
Fortinet FortiSwitchManager

Related links:

https://thehackernews.com/2025/12/fortinet-ivanti-and-sap-issue-urgent.html
https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-sso-logins-following-disclosure-cve-2025-59718-cve-2025-59719/

Related CVE's:

Related threat actors:

IOC's:

IP addresses associated with The Constant Company llc, IP addresses associated with Bl Networks, IP addresses associated with Kaopu Cloud Hk Limited, Malicious SSO logins targeting admin accounts, Configuration exports via GUI to suspicious IP addresses

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page