top of page
perceptive_background_267k.jpg

Hackers exploit newly patched Fortinet auth bypass flaws

Published:

16 december 2025 om 15:57:34

Alert date:

16 december 2025 om 16:01:34

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Network Infrastructure, Identity & Access, Zero-Day Vulnerabilities

Hackers are actively exploiting critical-severity authentication bypass vulnerabilities affecting multiple Fortinet products. The attacks allow unauthorized access to admin accounts and theft of system configuration files. These are newly patched flaws that threat actors are targeting in the wild, representing an immediate security risk for organizations using affected Fortinet products.

Technical details

Two critical authentication bypass vulnerabilities in Fortinet products exploit improper verification of cryptographic signatures in SAML messages. CVE-2025-59718 affects FortiCloud SSO authentication in FortiOS, FortiProxy, and FortiSwitchManager, while CVE-2025-59719 affects FortiWeb. Both vulnerabilities allow attackers to log in without valid authentication by submitting maliciously crafted SAML assertions or forged SSO messages. The flaws are only exploitable when FortiCloud SSO is enabled, which automatically activates when registering devices through FortiCare user interface. Attackers gain admin-level access to download system configuration files containing network layouts, firewall policies, routing tables, and hashed passwords.

Mitigation steps:

1. Upgrade to patched versions: FortiOS 7.6.4+/7.4.9+/7.2.12+/7.0.18+, FortiProxy 7.6.4+/7.4.11+/7.2.15+/7.0.22+, FortiSwitchManager 7.2.7+/7.0.6+, FortiWeb 8.0.1+/7.6.5+/7.4.10+. 2. Temporarily disable FortiCloud login feature via System → Settings → 'Allow administrative login using FortiCloud SSO' = Off until upgrade is possible. 3. If signs of compromise are found, rotate firewall credentials immediately. 4. Limit firewall/VPN management access to trusted internal networks only.

Affected products:

FortiOS (versions prior to 7.6.4
7.4.9
7.2.12
7.0.18 - except 6.4)
FortiProxy (versions prior to 7.6.4
7.4.11
7.2.15
7.0.22)
FortiSwitchManager (versions prior to 7.2.7
7.0.6)
FortiWeb (versions prior to 8.0.1
7.6.5
7.4.10 - except 7.0 and 7.2)

Related links:

https://www.bleepingcomputer.com/news/security/fortinet-warns-of-critical-forticloud-sso-login-auth-bypass-flaws/

Related CVE's:

Related threat actors:

IOC's:

IP addresses linked to The Constant Company, IP addresses linked to BL Networks, IP addresses linked to Kaopu Cloud HK, Malicious SSO login attempts targeting admin accounts, Configuration file download activities after authentication bypass

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page