Summary

Active exploitation of critical Fortinet authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) was observed beginning December 12, 2025. These vulnerabilities allow unauthenticated attackers to bypass Single Sign-On (SSO) authentication on affected Fortinet appliances via crafted SAML messages when FortiCloud SSO is enabled.

Observed intrusions involved successful malicious SSO logins - primarily to the admin account - followed by the export of device configurations via the GUI. Fortinet released patches on December 9, 2025, and it was confirmed in-the-wild exploitation shortly thereafter.

Affected Systems and/or Applications

The following Fortinet products are affected if FortiCloud SSO is enabled:

• FortiOS
• FortiProxy
• FortiSwitchManager
• FortiWeb

FortiCloud SSO is disabled by default; however, it may be automatically enabled when devices are registered through FortiCare via the GUI unless explicitly disabled.

Products Confirmed Unaffected:

• FortiOS 6.4
• FortiWeb 7.0
• FortiWeb 7.2
  

Technical Details

The vulnerabilities allow unauthenticated attackers to bypass SSO authentication by submitting specially crafted SAML messages to FortiCloud SSO-enabled devices. Successful exploitation results in administrative access without valid credentials.

Observed Indicators of Compromise (IOCs)

Malicious SSO login activity originated from the following IP addresses and hosting providers:

Example Log Evidence

The example log evidence shown are Fortinet FortiGate system event logs, specifically administrative authentication and management activity logs generated by the FortiOS operating system.

Successful malicious SSO login:

logdesc="Admin login successful" user="admin" ui="sso(199.247.7[.]82)" method="sso"

Configuration exfiltration via GUI following login:

action="download" msg="System config file has been downloaded by user admin via GUI(199.247.7[.]82)"

Mitigation

Immediate Actions

• Upgrade to a fixed version of all affected Fortinet products as soon as possible.
• Assume credential compromise if malicious SSO login or configuration downloads are detected and reset all firewall and administrative credentials immediately.

Recommended Fixed Versions

Temporary Workaround

Until systems are upgraded, disable FortiCloud SSO login:

GUI:

• System → Settings → Disable “Allow administrative login using FortiCloud SSO”

CLI:

config system global
set admin-forticloud-sso-login disable
end

Additional Hardening Recommendations

• Restrict management interface access to trusted internal networks only.
• Monitor logs for unexpected SSO-based admin logins and configuration downloads.
• Block or monitor traffic from known malicious IP addresses listed above.

What the Cyber Fusion Center is Doing

The CFC is monitoring the situation and is triggering a threat-hunting campaigns. This advisory will be updated if required. Clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.

Tenable ID:

• ‍277980 – Fortinet FortiGate SSO Login Authentication Bypass (FG-IR-25-647)‍
• 277981 – Fortinet FortiWeb SSO Login Authentication Bypass (FG-IR-25-647)
  

Qualys ID:

• QID 44861
• QID 44862
  

References

• https://www.tenable.com/cve/CVE-2025-59718/plugins?
• https://threatprotect.qualys.com/2025/12/10/fortinet-addresses-critical-vulnerabilities-impacting-multiple-fortinet-products-cve-2025-59718-cve-2025-59719/
• Fortinet warns of critical FortiCloud SSO login auth bypass flaws
• Arctic Wolf Observes Malicious SSO Logins on FortiGate Devices Following Disclosure of CVE-2025-59718 andCVE-2025-59719 - Arctic Wolf