Fortinet recently disclosed two critical vulnerabilities in its FortiCloud Single Sign-On (SSO) authentication mechanism, affecting multiple products including FortiGate firewalls (which run FortiOS). These flaws allow unauthenticated attackers to bypass login protections using crafted SAML messages, potentially granting administrative access.
The issues were patched in early December 2025, but evidence has emerged of active exploitation in the wild targeting FortiGate devices, with intrusions observed as early as December 12, 2025. Threat actors are leveraging these vulnerabilities to perform malicious SSO logins, highlighting the urgency for organizations using Fortinet products to apply mitigations immediately.
Vulnerability Details
• CVE-2025-59718: An improper verification of cryptographic signatures (CWE-347) in the FortiCloud SSO login process. This enables attackers to forge authentication tokens and bypass SSO without valid credentials.
• CVE-2025-59719: A related authentication bypass flaw, also tied to SSO login validation failures.
Both carry a CVSS v3.1 base score of 9.1 (Critical), with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high confidentiality, integrity, and availability impacts from network-accessible exploitation without user interaction.
Affected Products and Versions (only when FortiCloud SSO is enabled, which is not default but often activated during device registration):
• FortiOS (FortiGate firewalls): 7.6.0–7.6.3, 7.4.0–7.4.8, 7.2.0–7.2.11, 7.0.0–7.0.17
• FortiProxy: 7.6.0–7.6.3, 7.4.0–7.4.10, 7.2.0–7.2.14, 7.0.0–7.0.21
• FortiSwitchManager: 7.2.0–7.2.6, 7.0.0–7.0.5
• FortiWeb: 8.0.0, 7.6.0–7.6.4, 7.4.0–7.4.9
Older branches like FortiOS 6.4 and certain FortiWeb versions (7.2.x, 7.0.x) are unaffected.
Active Exploitation in the Wild
As of December 12, 2025, cybersecurity firm Arctic Wolf reported observing real-world intrusions involving malicious SSO logins on FortiGate appliances shortly after the vulnerabilities’ disclosure. Attackers are exploiting the flaws to gain unauthorized admin access, with confirmed activity targeting exposed FortiGate devices. SecurityWeek corroborated this, noting that threat actors have begun in-the-wild exploitation specifically against FortiGate SSO endpoints. No public proof-of-concept (PoC) code has been released, but the simplicity of the SAML forgery makes it a high-value target for opportunistic attackers. Fortinet has not yet confirmed specific incidents but rates exploitation likelihood as “Functional” in its advisory.
Indicators of Compromise (IOCs) from observed attacks include:
• Suspicious SAML assertions in authentication logs with invalid or forged signatures.
• Unusual admin logins from unexpected IP addresses or user agents mimicking legitimate FortiCloud traffic.
• Anomalous access patterns post-login, such as configuration changes or data exfiltration attempts.
Organizations should monitor FortiGate logs for failed or bypassed SSO authentications around the disclosure date (December 9, 2025).
Recommendations and Mitigations
Fortinet urges immediate action, as these flaws have led to rapid exploitation similar to past Fortinet vulnerabilities (e.g., SSL VPN exploits). Prioritize based on exposure:
1. Disable FortiCloud SSO Immediately (interim fix):
• Via GUI: Navigate to System > Settings and toggle Allow administrative login using FortiCloud SSO to Off.
• Via CLI: Run config system global; set admin-forticloud-sso-login disable; end.
2. Apply Patches:
• Upgrade to fixed versions (e.g., FortiOS 7.6.4+, 7.4.9+, etc.). Use Fortinet’s upgrade path tool at docs.fortinet.com/upgrade-tool to avoid disruptions.
• Full list of fixed releases available in the official advisory.
3. Additional Best Practices:
• Restrict administrative access to trusted IP ranges.
• Enable multi-factor authentication (MFA) where possible on fallback logins.
• Scan for exposed FortiGate instances using tools like Shodan or internal asset inventories.
• Review logs for signs of compromise and reset credentials if suspicious activity is detected.
For the latest updates, refer to Fortinet’s PSIRT advisory. If you’re running affected versions, treat this as a high-priority incident response trigger.