Fortinet FortiCloud SSO Auth Bypass Actively Exploited
Fortinet customers are facing active exploitation of two critical authentication bypass vulnerabilities just days after patches were released. Tracked as CVE-2025-59718 and CVE-2025-59719 (CVSS 9.1), these flaws allow unauthenticated attackers to gain administrative access to Fortinet appliances by abusing FortiCloud Single Sign-On (SSO).
Arctic Wolf confirmed exploitation began on December 12, 2025, only three days after Fortinet issued advisories. The speed of weaponization highlights how quickly attackers now operationalize identity-layer weaknesses in perimeter security devices.
What Went Wrong Technically
Both vulnerabilities stem from improper cryptographic signature verification in FortiCloud SSO’s SAML authentication flow.
When FortiCloud SSO is enabled, Fortinet devices trust SAML assertions to authenticate administrators. Due to flawed signature validation logic, attackers can submit forged SAML messages that are accepted as legitimate, bypassing authentication entirely.
- CVE-2025-59718 impacts FortiOS, FortiProxy, and FortiSwitchManager
- CVE-2025-59719 impacts FortiWeb
The attack requires no credentials and succeeds remotely, making it especially dangerous for internet-exposed management interfaces.
Why This Feature Became a Trap
FortiCloud SSO is not enabled by default, but it is automatically activated during FortiCare registration unless administrators explicitly disable the option:
In practice, many organizations unknowingly enabled this feature, dramatically expanding their attack surface without realizing it.
Observed Exploitation Activity
Arctic Wolf telemetry confirms:
- Malicious SSO logins targeting admin accounts
- Source IPs tied to multiple hosting providers
- Successful authentication without valid credentials
- Post-authentication activity via FortiGate GUI
- Export of device configuration files
These configuration files may include:
- Network topology
- Firewall policies
- Routing tables
- VPN settings
- Hashed administrator credentials
Offline cracking of these hashes can lead to persistent compromise even after patching.
Simplified Attack Flow
Because Fortinet devices sit at the network perimeter, successful exploitation provides attackers with a detailed blueprint of internal infrastructure.
Mitigation and Response
Fortinet has released patched versions across affected product lines, and immediate upgrading is strongly recommended. Until patching is complete, Fortinet advises disabling FortiCloud SSO admin login entirely.
Organizations should also review logs for anomalous SSO activity, audit configuration export events, and rotate all administrative credentials if exposure is suspected. Restricting management access to trusted networks significantly reduces exploitability.
Why This Matters
This incident underscores a broader industry trend: identity features are now prime attack vectors, especially when embedded into perimeter devices. Authentication bypass flaws offer attackers the same level of control as remote code execution, but with fewer technical barriers.
The shrinking gap between disclosure and exploitation leaves no margin for delayed patching. In environments where firewalls are treated as trusted control points, identity-layer failures can collapse the entire security model.
Final Takeaway
These Fortinet vulnerabilities are not theoretical. They are being exploited in the wild, at scale, and with intent. Organizations relying on FortiCloud SSO must treat identity paths with the same rigor as core firewall logic.
In 2025, authentication bypass is the new RCE — and delayed patching is no longer survivable.
Centralise your Appsec
A single dashboard for visibility, collaboration, and control across your AppSec lifecycle.
Explore Live Demo
