Search

Critical Fortinet SSO Flaws Actively Exploited on FortiGate Devices

Cyber threats and incidents
By JJ Javier

Related

Founders, Analysts & Industry Voices

Helsinki’s CISOs to Watch in 2025

As cyber threats evolve and digital infrastructure becomes increasingly...
Read more
Cyber threats and incidents

Critical Fortinet SSO Flaws Actively Exploited on FortiGate Devices

What happened Threat actors have started exploiting newly disclosed critical...
Read more
Cyber threats and incidents

University of Phoenix Data Breach Exposes Personal Information of ~3.5M Individuals

What happened The University of Phoenix (UoPX) disclosed that a...
Read more
Founders, Analysts & Industry Voices

CISOs Shaping Financial Cybersecurity in Banking & FinTech

As financial services continue to evolve with digital banking,...
Read more
Founders, Analysts & Industry Voices

The CISOs Securing Critical Infrastructure in 2025

In an era where energy grids, transportation systems, water...
Read more

Share

What happened

Threat actors have started exploiting newly disclosed critical vulnerabilities in Fortinet products to perform malicious single sign-on (SSO) logins on FortiGate firewalls and related appliances. The activity was first observed on December 12, 2025, just days after Fortinet disclosed and patched two authentication-bypass flaws (CVE-2025-59718 and CVE-2025-59719) that allow attackers to bypass FortiCloud SSO authentication via crafted SAML messages when that feature is enabled. Security researchers at Arctic Wolf and others have reported multiple intrusions where attackers have logged in to administrative interfaces without credentials and, in some cases, exported device configuration files.

Who is affected

Organizations using Fortinet FortiGate firewalls and related products (including FortiOS, FortiWeb, FortiProxy, FortiSwitchManager) with the FortiCloud SSO login feature enabled are at risk. Because FortiCloud SSO is enabled by default during initial device setup unless explicitly disabled, many internet-connected appliances could be exposed. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the issue to its Known Exploited Vulnerabilities catalog, underscoring its active exploitation.

Why CISOs should care

  • Active exploitation: Threat actors are already leveraging these SSO authentication bypasses in real-world attacks shortly after disclosure and patch publication.
  • High severity: Both vulnerabilities carry near-maximum CVSS scores, enabling unauthorized administrative access without valid credentials. 
  • Privileged access risk: Successful exploitation can expose firewall configurations, hashed credentials, and network security policies, potentially facilitating broader compromise of enterprise environments.

3 Practical actions

  1. Patch Immediately: Ensure all Fortinet products are updated to the latest fixed versions addressing CVE-2025-59718 and CVE-2025-59719.
  2. Disable FortiCloud SSO: Turn off the “Allow administrative login using FortiCloud SSO” feature where it is currently enabled until patches are verified applied. 
  3. Hunt, Restrict & Reset: Search for signs of malicious logins, restrict management interfaces to internal trusted networks, and reset compromised firewall credentials if suspicious activity is found.
Previous article
University of Phoenix Data Breach Exposes Personal Information of ~3.5M Individuals
Next article
Helsinki’s CISOs to Watch in 2025
Founders, Analysts & Industry Voices

Helsinki’s CISOs to Watch in 2025

As cyber threats evolve and digital infrastructure becomes increasingly...
Cyber threats and incidents

University of Phoenix Data Breach Exposes Personal Information of ~3.5M Individuals

What happened The University of Phoenix (UoPX) disclosed that a...

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.