Fortinet FortiGate Under Active Attack Through SAML SSO Authentication Bypass
हिंदी में सुनें
Listen to this article in Hindi
Threat actors are actively exploiting recently disclosed vulnerabilities in Fortinet FortiGate devices to bypass SAML SSO authentication. Patches are available.
Fortinet FortiGate devices are currently under attack, with malicious actors exploiting two recently revealed security vulnerabilities. These flaws allow attackers to bypass SAML single sign-on (SSO) authentication.
Cybersecurity firm Arctic Wolf reported observing active intrusions on December 12, 2025, involving unauthorized SSO logins on FortiGate appliances. The attacks leverage CVE-2025-59718 and CVE-2025-59719, both carrying a critical CVSS score of 9.8. Fortinet released patches last week for FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager to address these issues.
According to Arctic Wolf Labs, the vulnerabilities enable unauthenticated bypass of SSO login authentication through specially crafted SAML messages, but only if the FortiCloud SSO feature is enabled on the affected devices. While FortiCloud SSO is disabled by default, it is automatically activated during FortiCare registration unless administrators manually disable the "Allow administrative login using FortiCloud SSO" setting on the registration page.
Arctic Wolf's investigation revealed that the malicious SSO logins against the "admin" account originated from IP addresses associated with hosting providers including The Constant Company llc, Bl Networks, and Kaopu Cloud Hk Limited. After gaining access, the attackers exported device configurations through the GUI to the same IP addresses.
Given the ongoing exploitation, organizations are urged to apply the available patches immediately. As a precaution, disabling FortiCloud SSO until the instances are updated to the latest version is recommended. Limiting access to the management interfaces of firewalls and VPNs to trusted internal users is also crucial.
Arctic Wolf also noted that even though credentials are typically hashed in network appliance configurations, attackers are known to crack these hashes offline, particularly if the credentials are weak and susceptible to dictionary attacks. Fortinet customers who identify indicators of compromise (IoCs) consistent with this campaign should assume their systems have been compromised and reset the hashed firewall credentials stored in the exfiltrated configurations.
