Critical Auth Bypass Vulnerabilities in Fortinet Products Under Active Exploitation (CVE-2025-59718 & CVE-2025-59719)
Executive Summary
On December 9th, Fortinet’s PSIRT team publicly released an advisory to address critical authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) in multiple Fortinet products (FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb) when FortiCloud single sign-on (SSO) is enabled. Soon after, on December 16th, Beazley Security Labs became aware of active exploitation of these vulnerabilities. CISA has also added both CVEs to the Known Exploited Vulnerabilities (KEV) index.
The vulnerabilities are remotely exploitable authentication bypass bugs, meaning they can be used by a threat actor to gain initial access to an organization’s network. CVE-2025-59718 and CVE-2025-59719 allow an attacker to bypass the FortiCloud SSO authentication "via a crafted SAML message." It's important to note that FortiCloud SSO login is not enabled by default, however, registering a Fortinet device with FortiCare will enable this feature unless explicitly disabled. Due to this, Beazley Security believes many Fortinet devices may be vulnerable without the administrator’s knowledge.
Beazley Security is aware of active exploitation of these vulnerabilities in the wild. Given the potential for further compromise once initial access has been granted to the Fortinet device, Beazley Security strongly recommends that affected organizations apply available patches immediately or disable FortiCloud SSO until patches can be applied.
Affected Systems and Products
Mitigations and Workarounds
Patches have been released, and Beazley Security recommends that patches be applied immediately for any impacted appliances. If patches cannot be applied, Fortinet recommends temporarily disabling FortiCloud SSO on affected systems until they can be updated to reduce risk of compromise:
To disable FortiCloud SSO admin logins:
- Go to System -> Settings -> Switch.
- Change "Allow administrative login using FortiCloud SSO" to Off.
Or type the following command in the CLI:
config system global
set admin-forticloud-sso-login disable
endPatches
The FortiGuard advisory recommends using their provided upgrade tool to update software on the affected products.
Indicators of Compromise (IOCs)
IOCs have been collected from Arctic Wolf and are presented here for convenience:
According to the article from Arctic Wolf, the following logs were observed during attack:
- Malicious logins were typically observed against the admin account:
date=2025-12-12 time=REDACTED devname=REDACTED devid=REDACTED eventtime=REDACTED tz=REDACTED logid="0100032001" type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn=REDACTED user="admin" ui="sso(199.247.7[.]82)" method="sso" srcip=199.247.7[.]82 dstip=REDACTED action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from sso(199.247.7[.]82)"
- Following malicious SSO logins, configurations were exported to the same IP addresses via the GUI interface:
date=2025-12-12 time=REDACTED devname=REDACTED devid=REDACTED eventtime=REDACTED tz=REDACTED logid="0100032095" type="event" subtype="system" level="warning" vd="root" logdesc="Admin performed an action from GUI" user="admin" ui="GUI(199.247.7[.]82)" action="download" status="success" msg="System config file has been downloaded by user admin via GUI(199.247.7[.]82)"
Technical Details
Details on the vulnerabilities provided by Fortinet are limited at the time of this writing. CVE-2025-597198 and CVE-2025-59719 stem from improper verification of cryptographic signatures in the FortiCloud SSO SAML authentication flow across multiple Fortinet products.
If affected Fortinet devices are configured to use FortiCloud SSO, an attacker can leverage crafted SAML messages to bypass authentication checks, potentially gaining unauthenticated administrative access.
Although FortiCloud SSO login is disabled in the default factory settings, registering a device via FortiCare on setup will enable FortiCloud SSO when registration occurs, unless explicitly disabled on the registration page.
Arctic Wolf has reportedly observed exploitation of these authentication bypass vulnerabilities in the wild, with threat actors conducting malicious FortiCloud SSO admin attacks to gain initial access into environments.
How Beazley Security is Responding
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.
Sources
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59718
- https://fortiguard.fortinet.com/psirt/FG-IR-25-647
- https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-sso-logins-following-disclosure-cve-2025-59718-cve-2025-59719/
- https://docs.fortinet.com/upgrade-tool
- https://x.com/purp1ew0lf/status/2001448649033683038
Aware of an incident impacting your industry? Let us know: