Critical Fortinet Vulnerabilities Actively Exploited
CVE-2025-59718 & CVE-2025-59719
Executive Summary
Threat actors are actively exploiting two critical-severity authentication bypass vulnerabilities affecting multiple Fortinet products. These flaws allow attackers to gain unauthenticated administrative access via FortiCloud Single Sign-On (SSO) and exfiltrate system configuration files, potentially enabling further compromise of enterprise networks.
Fortinet disclosed these vulnerabilities on December 9, and active exploitation was observed starting December 12, according to Arctic Wolf.
Vulnerability Details
CVE-2025-59718
- Affected Products
- FortiOS
- FortiProxy
- FortiSwitchManager
- Severity: Critical
- Root Cause
- Improper verification of cryptographic signatures in SAML authentication messages used by FortiCloud SSO
- Impact
- An attacker can submit a maliciously crafted SAML assertion
- Authentication is bypassed entirely
- Results in unauthenticated administrative login
CVE-2025-59719
- Affected Products
- FortiWeb
- Severity: Critical
- Root Cause
- Similar cryptographic signature validation flaw in SAML-based FortiCloud SSO
- Impact
- Enables attackers to forge SSO authentication
- Grants unauthorized administrative-level access
Exploitation Conditions
- These vulnerabilities are only exploitable if FortiCloud SSO is enabled
- FortiCloud SSO is not enabled by default
- However, it is automatically enabled when devices are registered via the FortiCare portal, unless explicitly disabled by administrators
Observed Threat Activity
Attack Timeline
- Initial exploitation observed: December 12
- Source of attacks: Multiple IP addresses associated with:
- The Constant Company
- BL Networks
- Kaopu Cloud HK
Attack Techniques
- Attackers perform malicious SSO authentication attempts targeting administrator accounts
- Upon successful bypass:
- Access the web-based management interface
- Download full system configuration files
Impact of Configuration File Exfiltration
Stolen configuration files may expose:
- Network topology and internal architecture
- Internet-facing services and interfaces
- Firewall and security policies
- Routing tables
- VPN configurations
- Hashed administrator passwords, which may be cracked if weak
The targeted exfiltration of configuration data strongly suggests malicious intent rather than opportunistic scanning or security research and may facilitate future targeted attacks.
Affected Versions
The vulnerabilities affect most supported versions of Fortinet products, except:
- FortiOS 6.4
- FortiWeb 7.0 and 7.2
Mitigation and Remediation Guidance
Immediate Mitigation (Strongly Recommended)
If running a vulnerable version and unable to upgrade immediately:
- Disable FortiCloud SSO
- Navigate to:
System → Settings → Allow administrative login using FortiCloud SSO - Set the option to Off
- Navigate to:
Permanent Remediation: Upgrade to Fixed Versions
FortiOS
- 7.6.4 or later
- 7.4.9 or later
- 7.2.12 or later
- 7.0.18 or later
FortiProxy
- 7.6.4 or later
- 7.4.11 or later
- 7.2.15 or later
- 7.0.22 or later
FortiSwitchManager
- 7.2.7 or later
- 7.0.6 or later
FortiWeb
- 8.0.1 or later
- 7.6.5 or later
- 7.4.10 or later
Post-Compromise Actions
If any indicators of compromise are detected:
Bastion hosts or jump servers only
Immediately rotate all administrative credentials
Regenerate API keys and certificates if applicable
Review authentication, system, and admin action logs
Restrict firewall and VPN management access to:
Trusted internal networks
Management VLANs
