Fortinet administrators are facing yet another urgent security headache. Just weeks ago, on December 9, 2025, Fortinet disclosed two critical vulnerabilities—CVE-2025-59718 and CVE-2025-59719 (both CVSS 9.8)—that allow unauthenticated attackers to bypass Single Sign-On (SSO) authentication on FortiGate firewalls and related products. By December 12, threat actors were already exploiting them in the wild, primarily to steal configuration files and potentially escalate to full network compromise.
This isn't just another patch Tuesday item; it's a stark reminder of how quickly perimeter devices like FortiGate become prime targets. With CISA adding CVE-2025-59718 to its Known Exploited Vulnerabilities (KEV) catalog on December 16—mandating federal agencies to patch by December 23—the pressure is on for everyone.
What Exactly Are These Vulnerabilities?
Both flaws stem from an improper verification of cryptographic signatures (CWE-347) in how Fortinet products handle SAML (Security Assertion Markup Language) responses for FortiCloud SSO logins.
- CVE-2025-59718: Affects FortiOS (the OS running on FortiGate firewalls), FortiProxy, and FortiSwitchManager.
- CVE-2025-59719: Primarily impacts FortiWeb (Fortinet's web application firewall).
An unauthenticated attacker can send a specially crafted SAML message to the device, tricking it into believing the request is legitimately authenticated. No credentials needed—just network access to the management interface.
The key prerequisite? The FortiCloud SSO login feature must be enabled. Good news: It's disabled by default on factory-fresh devices. Bad news: Many organizations enable it during setup for convenience, or it gets turned on automatically in certain configurations.
Real-World Attacks: What Attackers Are Doing
Security firm Arctic Wolf was the first to spot active intrusions starting December 12, 2025—just three days after disclosure. In observed attacks:
- Malicious SSO logins originated from a small cluster of hosting providers (IPs in Germany, the US, and Asia).
- Attackers targeted the default "admin" account.
- Once in, they immediately used the GUI to download the full system configuration file—exposing sensitive data like credentials, VPN keys, and network topologies.
This config exfiltration is a goldmine for attackers: It reveals internal layouts, potentially enabling lateral movement, ransomware deployment, or persistent access.
While no widespread mass exploitation has been reported yet (as of late December 2025), experts warn it's likely coming soon given the ease of exploitation and the high value of FortiGate compromises.
Why FortiGate Keeps Making Headlines
FortiGate firewalls are ubiquitous—hundreds of thousands are internet-facing worldwide. They're the gatekeepers of corporate networks, making them irresistible to attackers. Recent years have seen a pattern:
- Heap buffer overflows in SSL-VPN leading to RCE.
- Out-of-bounds writes exploited for remote code execution.
- Post-exploitation persistence techniques lingering after old patches.
The 2025 SSO flaws continue this trend, highlighting challenges in third-party integration (like SAML for cloud management). Convenience features like FortiCloud SSO, meant to simplify admin logins, inadvertently expand the attack surface.
Immediate Steps to Protect Your FortiGate
Don't wait—act now:
- Patch Immediately:
- Upgrade to fixed versions (check Fortinet's advisory FG-IR-25-647 for your branch: FortiOS 7.4.5+, 7.6.1+, etc.).
- Note: Older branches like FortiOS 6.4 are unaffected.
- Temporary Mitigation if Patching Isn't Possible:
- Disable FortiCloud SSO: Go to System > Settings > Turn off "Allow administrative login using FortiCloud SSO".
- Restrict management interface access to trusted IPs only.
- Hunt for Compromise:
- Review logs for suspicious SSO logins (look for ui="sso" entries from unknown IPs).
- Check for downloaded config files (logdesc="System config file has been downloaded").
- Scan for unauthorized admin accounts or changes.
- Best Practices Going Forward:
- Limit exposure: Never expose management interfaces to the internet.
- Enable MFA where possible.
- Regularly audit and update firmware.
Final Thoughts: Patch Fast, Stay Vigilant
These vulnerabilities underscore a broader lesson in cybersecurity: Edge devices like firewalls are perpetual battlegrounds. Fortinet's quick disclosure and patches are commendable, but the rapid exploitation shows how narrow the window is between patch release and attacker action.
If you're running FortiGate, treat this as a fire drill. Patching isn't optional—it's essential to keeping your network's front door locked.
Have you checked your FortiGates yet? Drop your experiences or tips in the comments. Stay safe out there!