Critical Fortinet SSO Vulnerabilities Under Active Exploitation — Admin Accounts and Config Files Targeted

Threat actors are actively exploiting two critical-severity authentication bypassAuthentication Bypass📖A security vulnerabilityVulnerability🛡️A weakness in software, hardware, or processes that can be exploited by attackers to gain unauthorized access or cause harm. that allows an attacker to circumvent the login verification process and gain unauthorized access to a system without providing valid credentials. vulnerabilities affecting multiple Fortinet products to gain unauthorized administrative access and steal sensitive system configuration files. The two vulnerabilities, tracked as CVE-2025-59718 and CVE-2025-59719, were disclosed by Fortinet on December 9, 2025, with active exploitation observed in the wild starting December 12.

Both vulnerabilities exploitExploit🛡️Code or technique that takes advantage of a vulnerability to cause unintended behavior, such as gaining unauthorized access. weaknesses in the FortiCloudFortiCloud📖Fortinet's cloud-based management and services platform that provides centralized management, logging, reporting, and single sign-on capabilities for Fortinet security products. Single Sign-On (SSO) authentication mechanism, specifically in the cryptographic signatureCryptographic Signature📖A mathematical scheme that uses public key cryptography to verify the authenticity and integrity of digital data, ensuring the content has not been altered and was created by the claimed sender. validation of SAML messages. By crafting malicious SAML assertions, attackers can bypass authentication entirely and log into administrative interfaces without valid credentials—a severe authentication bypass that gives them full control over affected network security devices.

Security researchers at Arctic Wolf have observed attacks targeting admin accounts across FortiOS firewalls, FortiProxy secure web gateways, FortiSwitchManager, and FortiWeb web application firewalls. The attackers are not simply probing for vulnerabilities—they are downloading complete system configuration files, which can expose network architecture, firewallFirewall🌐Security system that monitors and controls network traffic based on predetermined rules. rules, VPN configurations, and hashed administrator passwords.

Understanding the Vulnerabilities

The two CVEs share a common root cause: improper verification of cryptographic signatures in SAML (Security Assertion Markup Language) messages used for FortiCloud SSO authentication. SAML is an XML-based standard that enables single sign-on by allowing identity providers to pass authentication credentials to service providers. When the signature verification is flawed, attackers can forge authentication assertions that the system accepts as legitimate.

CVE-2025-59718: FortiOS, FortiProxy, and FortiSwitchManager

This critical vulnerability affects the core Fortinet operating system (FortiOS), the FortiProxy secure web gateway, and FortiSwitchManager—the centralized management platform for FortiSwitch devices. The flaw exists in the way these products validate cryptographic signatures on incoming SAML assertions during FortiCloud SSO authentication. An attacker who submits a maliciously crafted SAML assertionSAML Assertion📖An XML document issued by an identity provider containing statements about a user's identity, attributes, and authentication status, used to grant access to service providers in SSO systems. can bypass the authentication mechanism entirely, gaining administrative access without providing valid credentials.

CVE-2025-59719: FortiWeb

The second vulnerability specifically targets FortiWeb, Fortinet's web application firewall product. It arises from a similar cryptographic signature validation flaw in the SAML message processing. Successful exploitation enables unauthenticated administrative access via forged SSO credentials. FortiWeb devices are particularly sensitive targets because they protect web applications and often have visibility into HTTP/HTTPS traffic, making their compromise especially valuable for attackers conducting reconnaissance or planning further attacks.

Exploitation Prerequisites

Both vulnerabilities are only exploitable when FortiCloud SSO is enabled on the device. Importantly, FortiCloud SSO is not enabled by default—however, it is activated automatically when devices are registered through the FortiCare user interface. This means that many organizations may have FortiCloud SSO enabled without explicitly configuring it, simply because they registered their devices for support and maintenance purposes.

Organizations should immediately check their FortiCloud SSO settings. The feature can be found under System → Settings → "Allow administrative login using FortiCloud SSO." If this option is enabled on any device running a vulnerable firmwareFirmware🏠Permanent software programmed into a device's hardware that controls its basic functions. version, that device is at risk.

Active Exploitation Observed in the Wild

Cybersecurity researchers at Arctic Wolf detected active exploitation of both CVEs beginning December 12, 2025—just three days after Fortinet's public advisory. The rapid weaponization of these vulnerabilities underscores the urgency for organizations to apply patches or implement mitigations immediately.

According to Arctic Wolf's observations, the attacks originated from multiple IP addresses associated with The Constant Company, BL Networks, and Kaopu Cloud HK—hosting providers that have been linked to other malicious activities. The attackers specifically targeted administrative accounts using malicious single sign-on authentication requests.

Attack Pattern and Behavior

Analysis of compromised systems reveals a consistent attack pattern. The threat actors first authenticate using the forged SAML assertions to gain administrative access to the web management interface. The authentication logs show successful SSO logins from external IP addresses that do not correspond to legitimate administrative access.

Once authenticated, the attackers immediately accessed the system configuration and initiated downloads of the full configuration files. These files contain highly sensitive information about the organization's network security posture.

Why Stolen Configuration Files Are Dangerous

The exfiltration of firewall configuration files represents a significant security concern that goes beyond the immediate access gained. These files can expose:

Network topology and architecture: Internal network layouts, VLAN configurations, and routing tables reveal how traffic flows through the organization.

Internet-facing services: Configuration files identify which services are exposed to the internet and how they are protected.

Firewall policies and rules: Attackers can identify gaps in security policies or find allowed pathways through the firewall.

VPN configurations: Remote access VPN settings, including authentication methods and network access policies.

Hashed administrator passwords: While hashed, weak passwords may be crackable using dictionary attacks or rainbow tables, potentially providing persistent access.

The fact that attackers are downloading these configuration files suggests this is not opportunistic scanning by security researchers—this is reconnaissance for future attacks. The stolen configurations provide a detailed blueprint for planning targeted intrusions, identifying the most valuable systems, and understanding exactly how to bypass security controls.

Affected Products and Versions

The vulnerabilities affect multiple product lines across several firmware branches. Notably, FortiOS 6.4, FortiWeb 7.0, and FortiWeb 7.2 are NOT affected by these vulnerabilities. For all other versions, administrators must upgrade to patched releases or implement the recommended mitigations.

FortiOS (CVE-2025-59718)

Vulnerable versions include FortiOS 7.6.x prior to 7.6.4, 7.4.x prior to 7.4.9, 7.2.x prior to 7.2.12, and 7.0.x prior to 7.0.18. Organizations should upgrade to FortiOS 7.6.4+, 7.4.9+, 7.2.12+, or 7.0.18+ respectively.

FortiProxy (CVE-2025-59718)

Vulnerable versions include FortiProxy 7.6.x prior to 7.6.4, 7.4.x prior to 7.4.11, 7.2.x prior to 7.2.15, and 7.0.x prior to 7.0.22. Organizations should upgrade to FortiProxy 7.6.4+, 7.4.11+, 7.2.15+, or 7.0.22+ respectively.

FortiSwitchManager (CVE-2025-59718)

Vulnerable versions include FortiSwitchManager 7.2.x prior to 7.2.7 and 7.0.x prior to 7.0.6. Organizations should upgrade to FortiSwitchManager 7.2.7+ or 7.0.6+ respectively.

FortiWeb (CVE-2025-59719)

Vulnerable versions include FortiWeb 8.0.x prior to 8.0.1, 7.6.x prior to 7.6.5, and 7.4.x prior to 7.4.10. FortiWeb 7.0 and 7.2 branches are not affected. Organizations running vulnerable versions should upgrade to FortiWeb 8.0.1+, 7.6.5+, or 7.4.10+ respectively.

Immediate Actions Required

Given the active exploitation and critical severity of these vulnerabilities, organizations running affected Fortinet products should take immediate action. Fortinet and security researchers recommend the following steps:

Disable FortiCloud SSO immediately: Navigate to System → Settings and set "Allow administrative login using FortiCloud SSO" to Off. This eliminates the attack vector while you plan your upgrade.

Upgrade to patched firmware: Apply the security updates as soon as possible. Patched versions are available for all affected product lines.

Review authentication logs: Check for suspicious SSO authentication events from unknown IP addresses, particularly any activity since December 9, 2025.

Look for configuration downloads: Review logs for any configuration backup or export operations that were not initiated by authorized administrators.

Rotate credentials if compromised: If any signs of unauthorized access are discovered, immediately rotate all administrator passwords and API keys. Consider generating new local admin accounts with strong, unique passwords.

Restrict management access: Arctic Wolf recommends limiting firewall and VPN management interface access to trusted internal networks only. Management interfaces should never be exposed to the public internet.

Indicators of Compromise

Organizations should monitor for the following indicators that may suggest exploitation of these vulnerabilities:

Successful SSO authentication events from unexpected IP addresses or geolocations

Administrative access outside normal business hours or from unfamiliar source IPs

Configuration backup or export operations in audit logs that do not correspond to authorized activities

Connections from IP ranges associated with The Constant Company, BL Networks, or Kaopu Cloud HK

New administrator accounts or changes to existing account permissions that were not authorized

Broader Context: SAML Vulnerabilities in Enterprise Security

These Fortinet vulnerabilities are part of a broader pattern of SAML-related security issues affecting enterprise products. SAML's complexity and the difficulty of correctly implementing cryptographic signature verification have led to similar vulnerabilities in products from multiple vendors over the years. The protocol's reliance on XML parsing and cryptographic operations creates multiple opportunities for implementation errors.

For organizations that rely heavily on federated authentication and single sign-on, these incidents highlight the importance of defense in depthDefense in Depth🛡️A security strategy using multiple layers of protection so that if one layer fails, other layers continue to provide security.. SSO provides convenience and can improve security by centralizing authentication, but it also creates a single point of failure. When SSO implementations have vulnerabilities, the impact can be severe because a single exploit provides access to multiple systems.

Learn More About These Security Concepts

Understanding the technical concepts behind these vulnerabilities helps organizations better assess their risk and implement appropriate protections. Explore our educational resources to deepen your knowledge:

What is SAML? Understanding Single Sign-On Authentication — Learn how SAML works, why it's widely used for enterprise authentication, and the security considerations organizations should understand.

Firewall Configuration Security: Protecting Your Network's Blueprint — Understand why firewall configuration files are high-value targets and how to protect this sensitive information.

Authentication Bypass Vulnerabilities: How Attackers Defeat Login Security — A deep dive into the techniques attackers use to bypass authentication mechanisms, including cryptographic implementation flaws.

The active exploitation of CVE-2025-59718 and CVE-2025-59719 represents a serious threat to organizations using Fortinet security products. The combination of critical-severity authentication bypass vulnerabilities with observed data exfiltrationData Exfiltration📖The unauthorized transfer or theft of data from a computer or network, typically performed by attackers after gaining access to a system. activity demands immediate attention. Organizations should disable FortiCloud SSO on vulnerable devices immediately and prioritize upgrading to patched firmware versions. Any systems showing signs of compromise require credential rotation and thorough investigation.