Threat actors are actively exploiting two critical authentication bypass vulnerabilities in Fortinet products by abusing FortiCloud SSO functionality. The flaws, tracked as CVE-2025-59718 & CVE-2025-59719 allow unauthenticated attackers to bypass administrative authentication using crafted SAML messages when FortiCloud SSO is enabled.
Exploitation began within days of patch release, highlighting rapid weaponization and making this a high-priority exposure risk for internet-facing Fortinet deployments.
What’s Being Exploited
The vulnerabilities stem from improper cryptographic signature verification in the FortiCloud SSO authentication flow.
When FortiCloud SSO is enabled, attackers can submit a crafted SAML authentication message. The device incorrectly validates the signature and administrative access is granted without valid credentials.
Key risk factor: FortiCloud SSO is disabled by default, but is automatically enabled during FortiCare registration unless explicitly disabled by an administrator.
Affected Technologies
The issue impacts multiple Fortinet platforms (only when FortiCloud SSO is enabled):
- FortiOS
- FortiProxy
- FortiWeb
- FortiSwitchManager
Multiple major release branches are affected, making legacy and current deployments equally at risk if not patched.
Observed Attack Activity
On December 16th, CISA added CVE-2025-59718 to its Known Exploited Vulnerabilitites (KEV) catalog.
Observed activity indicates deliberate targeting rather than broad scanning. Following successful SSO-based authentication, attackers accessed the device management interface and exported system configuration files.
These exports contain hashed credentials, VPN configurations, and user definitions, enabling offline credential cracking and potential reuse across environments. The consistency of post-authentication behavior suggests the objective is persistent access and credential harvesting rather than short-lived access or service disruption.
Mitigation Guidance
Organizations using Fortinet products should take the following actions immediately:
- Disable FortiCloud SSO administrative login on all affected devices unless it is strictly required
- Apply vendor patches and upgrade to a fixed firmware version across FortiOS, FortiProxy, FortiWeb, and FortiSwitchManager
- Restrict management interface access to trusted IP ranges or dedicated management networks only
If exploitation is suspected:
- Assume credential exposure and rotate all administrative passwords, VPN secrets, and API keys
- Review configuration integrity and compare against known-good backups
- Audit administrative activity for unauthorized logins, configuration exports, or account changes
If you suspect a compromise, please contact the OP Innovate Incident Response team immediately.
Stay Safe. Stay Secure
OP Innovate Research Team
