What do you do when a critical authentication flaw in your network's perimeter security is not just a theoretical vulnerability, but a live exploit being used against tens of thousands of exposed systems? For security teams running Fortinet, that time is now.
- Critical authentication bypass vulnerabilities (CVE-2025-59718, CVE-2025-59719) in FortiCloud SSO are under active exploitation.
- Attackers use malicious SAML messages to gain admin access, steal configs, and pivot deeper.
- Over 25,000 devices are exposed online; U.S. CISA mandates federal patching by December 23, 2025.
- Immediate action is required: patch, disable FortiCloud SSO if unused, and audit authentication logs.
How it got exploited
A critical security flaw exists in the FortiCloud Single Sign-On (SSO) implementation across multiple Fortinet products, including FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb. Tracked as CVE-2025-59718 and CVE-2025-59719, this vulnerability allows an unauthenticated, remote attacker to bypass authentication entirely by sending a maliciously crafted Security Assertion Markup Language (SAML) message.
Successful exploitation grants the attacker administrative privileges to the device's web-based management interface. The primary impact is the immediate compromise of the network's first line of defense, enabling threat actors to download full system configuration files. These files contain hashed passwords, network topology maps, firewall policies, and details of other internet-facing services—a blueprint for further network intrusion.
Observed Evidence & Timeline
- December 9, 2025: Fortinet releases patches for CVE-2025-59718 and CVE-2025-59719, noting the vulnerable FortiCloud SSO feature is only active after device registration with FortiCare.
- December 2025 (Third Week): Cybersecurity firm Arctic Wolf reports active in-the-wild exploitation of the vulnerabilities to compromise administrator accounts.
- December 2025 (Third Week): The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds the flaw to its Known Exploited Vulnerabilities (KEV) catalog, issuing Binding Operational Directive (BOD) 22-01 to compel federal agencies to patch by December 23, 2025.
- December 19, 2025: The Shadowserver Foundation reports scanning over 25,000 exposed IP addresses with the vulnerable FortiCloud SSO fingerprint, including over 5,400 in the United States and nearly 2,000 in India. Independent researcher scans suggest the number may exceed 30,000.
Technical Deep-Dive
The vulnerability resides in the logic handling SAML authentication responses for FortiCloud SSO. The attack flow is straightforward and highly dangerous due to its remote, pre-authentication nature:
- Reconnaissance: Attackers scan the internet for Fortinet devices with TCP port 443 (HTTPS) open.
- Fingerprinting: They identify targets with the FortiCloud SSO feature enabled.
- Crafting the Exploit: A malicious SAML response is crafted to bypass signature validation and identity assertion checks.
- Authentication Bypass: This crafted message is sent to the target's SSO endpoint, tricking the device into granting an authenticated session.
- Privilege Escalation: The granted session is automatically elevated to the highest administrative level.
- Data Exfiltration & Pivot: Attackers use this access to download system configuration files (`sys_config`, backup files) and can then move laterally, change policies, or deploy malware.
Indicators of Compromise (IOCs)
While specific IOCs from ongoing campaigns are not detailed in public reporting, defenders should hunt for these artifacts:
| Type | Value | Notes/Source |
|---|
| Tactic | Malicious SAML Message to `/remote/saml/login` endpoint | Primary exploitation vector. |
| Artifact | Unexpected `*.conf` or system backup file downloads via web UI | Post-exploitation data theft. |
| User Agent | Non-standard HTTP User-Agents in auth logs | Potential scan or exploit activity. |
| Log Entry | Successful admin logins from unusual geographic locations. | Review FortiCloud SSO login logs. |
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application: The initial vector targets the exposed FortiCloud SSO service.
- T1552.001 - Unsecured Credentials: Credentials In Files: Attackers exfiltrate configuration files to obtain password hashes.
- T1069 - Permission Groups Discovery: Downloaded configs reveal network and permission structures.
- T1083 - File and Directory Discovery: Searching for and downloading system configuration files.
- TA0008 - Lateral Movement: Stolen credentials and network maps enable pivoting from the compromised firewall.
Detection & Hunting
Immediate Log Review: Focus on authentication logs from your Fortinet devices (`log.local4` or forwarded to SIEM). Hunt for:
- A surge in requests to `/remote/saml/login` or `/api/v2/` endpoints.
- Successful administrator logins that do not correlate with known admin activity or originate from unexpected IP ranges.
Sample SIEM Query Concept (Splunk-like): ```sql index=firewall_logs host="fortigate" (uri_path="/remote/saml/login" OR uri_path="api/v2*") | stats count by src_ip, uri_path, user, status | where count > 10 ```
Network Signature (Conceptual Snort Rule): ```bash alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"Potential FortiCloud SSO Exploit Attempt"; flow:to_server,established; content:"/remote/saml/login"; http_uri; fast_pattern; content:"SAMLResponse"; http_client_body; metadata:service http; sid:1000001; rev:1;) ```
Mitigation & Remediation
Immediate Actions (Next 24-48 Hours):
- PATCH IMMEDIATELY. Apply the fixes provided by Fortinet for CVE-2025-59718 (FortiOS, FortiProxy, FortiSwitchManager) and CVE-2025-59719 (FortiWeb). This is the only complete remedy.
- Disable FortiCloud SSO if it is not explicitly required for your operation. As per the vendor, the feature is only active after FortiCare registration—consider rolling back this registration if possible.
- Audit Access. Review administrator account lists and authentication logs for any unauthorized access.
Short-Term Actions (This Week):
- Enforce Access Controls. Ensure the management interfaces of all security appliances are not directly exposed to the internet. Restrict access via VPN or a bastion/jump host.
- Credential Rotation. As a precaution, rotate passwords and secrets for administrator accounts and any services referenced in potential configuration backups.
Risk Assessment
- CVSS Score: Not explicitly stated in source, but based on description (Remote, Low Attack Complexity, No Privileges Required, High Impacts on Confidentiality, Integrity, Availability), this is likely a Critical-severity (CVSS 9.0+) vulnerability.
- Affected Verticals: Any organization using affected Fortinet products. High concentrations of exposed devices are noted in government, enterprise, and service provider networks.
- CISO Priority: Maximum. This flaw allows a complete bypass of network perimeter security. Patching must be treated as a fire-drill exercise, superseding standard change windows. The CISA mandate underscores the severity for all sectors.