top of page
Search

FortiGate Under Siege: Critical SAML SSO Flaw Enables Authentication Bypass and Config Theft

  • Dec 16, 2025
  • 2 min read

Key Findings


  • Threat actors have begun exploiting two newly disclosed security flaws in Fortinet FortiGate devices, less than a week after public disclosure.

  • The attacks exploit two critical authentication bypasses (CVE-2025-59718 and CVE-2025-59719, CVSS scores: 9.8).

  • The vulnerabilities allow unauthenticated bypass of SSO login authentication via crafted SAML messages if the FortiCloud SSO feature is enabled.

  • Fortinet has released patches for the flaws in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.

  • Malicious SSO logins are targeting the "admin" account, followed by the export of device configurations via the GUI to the same IP addresses.


Background


  • The FortiCloud SSO feature is disabled by default in factory settings, but it is automatically enabled during FortiCare registration unless administrators explicitly turn it off using the "Allow administrative login using FortiCloud SSO" setting.

  • This means that standard onboarding procedures effectively arm the vulnerability, leaving the device exposed unless the administrator explicitly intervenes.


Threat Actor Tactics


  • The intrusion attempts observed by Arctic Wolf are originating from specific hosting providers, including The Constant Company LLC, Bl Networks, and Kaopu Cloud Hk Limited.

  • Following the malicious SSO logins, the attackers have been found to export device configurations via the GUI to the same IP addresses.

  • This exfiltration is catastrophic because firewall configurations often contain hashed credentials for VPN users and other local accounts.


Recommendations


  • Organizations are advised to apply the patches as soon as possible.

  • As a mitigation, it's essential to disable FortiCloud SSO until the instances are updated to the latest version and limit access to management interfaces of firewalls and VPNs to trusted internal users.

  • Fortinet customers who find indicators of compromise (IoCs) consistent with the campaign are recommended to assume compromise and reset hashed firewall credentials stored in the exfiltrated configurations.


Sources


  • https://thehackernews.com/2025/12/fortinet-fortigate-under-active-attack.html

  • https://securityonline.info/critical-fortigate-sso-flaw-under-active-exploitation-attackers-bypass-auth-and-exfiltrate-configs/

  • https://www.facebook.com/groups/796733520428908/posts/24631042856571307/

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page