Security teams are facing an active attack campaign targeting widely used Fortinet network devices through critical authentication bypass flaws.
Attackers are exploiting CVE-2025-59718 and CVE-2025-59719 to gain unauthenticated single sign-on access by sending malicious SAML messages. This technique allows threat actors to log in as administrators without valid credentials and take full control of affected systems.
Fortinet confirmed the vulnerabilities in a PSIRT advisory issued on December 9, 2025. Soon after, a cybersecurity firm released a separate alert warning that the flaws are already being exploited and called for immediate patching.
The issues affect multiple Fortinet products, including FortiOS, FortiWeb, FortiProxy and FortiSwitchManager, when FortiCloud SSO is enabled.
Fortinet FortiCloud SSO is disabled by default in factory settings. However, it is automatically turned on during device registration through the FortiCare GUI unless administrators manually disable the “Allow administrative login using FortiCloud SSO” option. This oversight can leave internet-facing devices exposed to remote compromise.
Once SSO is active, attackers can fully bypass authentication by crafting SAML assertions. Investigators reported attacks coming from a limited group of IP addresses linked to providers such as The Constant Company LLC and Kaopu Cloud HK Limited. The default “admin” account is the primary target.
A log entry from a compromised FortiGate device shows a successful SSO login:
date=2025-12-12 time=REDACTED … logid=”0100032001″ … user=”admin” ui=”sso(199.247.7[.]82)” method=”sso” srcip=199.247.7[.]82 … action=”login” status=”success” …
After gaining access, attackers downloaded device configuration files through the GUI from the same IP addresses, as shown below:
date=2025-12-12 time=REDACTED … logid=”0100032095″ … action=”download” … msg=”System config file has been downloaded by user admin via GUI(199.247.7[.]82)”
Fortinet has released patched versions across affected branches. FortiOS 6.4, FortiWeb 7.0 and FortiWeb 7.2 are not impacted.
If suspicious logs are found, all firewall credentials should be reset immediately. Even hashed passwords in exported configurations can be cracked offline if weak secrets are used.
As a temporary mitigation, administrators can disable FortiCloud SSO by navigating to System > Settings and switching “Allow administrative login using FortiCloud SSO” to Off, or by using the CLI command below:
- textconfig system global
- set admin-forticloud-sso-login disable
- end
Organizations are urged to prioritize upgrades as firewall devices continue to face increased targeting through exposed search engines.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
