Fortinet FortiCloud SSO Authentication Bypass Vulnerabilities Exploited in the Wild
Two critical authentication bypass vulnerabilities, CVE-2025-59718 and CVE-2025-59719, have been identified in Fortinet products utilizing the FortiCloud SSO login feature. These flaws stem from improper verification of cryptographic signatures (CWE-347), allowing unauthenticated attackers to bypass SSO authentication and potentially gain administrative access. The vulnerabilities affect multiple Fortinet product lines, including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, when FortiCloud SSO is enabled. Fortinet has clarified that FortiCloud SSO is disabled by default, but it becomes enabled if devices are registered via FortiCare through the GUI unless the relevant setting is manually disabled.
Following public disclosure of these vulnerabilities, Arctic Wolf observed active exploitation attempts targeting FortiGate appliances. Malicious SSO logins were traced to several hosting providers, with attackers typically attempting to access the admin account. Indicators of compromise (IOCs) include specific IP addresses from The Constant Company LLC, Bl Networks, and Kaopu Cloud HK Limited. Organizations using affected Fortinet products are urged to review their SSO configurations, apply vendor patches, and monitor for suspicious login activity, especially from the identified IOCs.
Timeline
Apr 8, 2026
Rapid7 details FortiGate post-exploitation and detection findings
On 2026-04-08, Rapid7 published incident-response findings from a FortiGate intrusion tied to CVE-2025-59718, describing how attackers enabled SSL VPN, created admin accounts, altered firewall policies, downloaded configs, and pivoted into the internal network for discovery, credential theft, and lateral movement. Rapid7 also released detections for suspicious FortiGate admin SSO logins, configuration downloads, and anomalous external-IP authentication activity.
Dec 19, 2025
Shadowserver identifies 25,000+ exposed FortiCloud SSO devices
By 2025-12-19, reporting based on Shadowserver Foundation scanning said more than 25,000 Fortinet devices with FortiCloud SSO enabled were exposed online. The finding highlighted the large internet-facing attack surface for the actively exploited vulnerabilities, though not all exposed devices were necessarily unpatched or vulnerable.
Dec 16, 2025
CISA adds CVE-2025-59718 to the KEV catalog
By 2025-12-16, the U.S. Cybersecurity and Infrastructure Security Agency had added CVE-2025-59718 to its Known Exploited Vulnerabilities catalog, requiring U.S. federal agencies to remediate it. Multiple reports noted a remediation deadline of 2025-12-23 for federal civilian agencies.
Dec 15, 2025
Arctic Wolf publishes exploitation details and IOCs
On 2025-12-15, Arctic Wolf publicly reported the observed intrusions, describing malicious admin logins, configuration downloads, and source IP infrastructure linked to the activity. It advised organizations to patch, disable FortiCloud SSO if needed, restrict management access, and reset credentials if compromise is suspected.
Dec 15, 2025
Canadian Centre for Cyber Security issues alert on Fortinet flaws
On 2025-12-15, the Canadian Centre for Cyber Security warned that CVE-2025-59718 and CVE-2025-59719 pose a critical risk to affected Fortinet products and urged organizations to upgrade or disable FortiCloud login as a temporary mitigation. The alert also recommended broader defensive measures such as patching, segmentation, and isolating web-facing applications.
Dec 12, 2025
Attackers begin exploiting the Fortinet SSO vulnerabilities
Beginning on 2025-12-12, Arctic Wolf observed malicious SSO-based logins to FortiGate devices exploiting the newly disclosed flaws. The activity typically targeted built-in admin accounts and was followed by configuration exports, creating risk of credential exposure from exfiltrated files.
Dec 9, 2025
Fortinet discloses and patches FortiCloud SSO auth bypass flaws
On 2025-12-09, Fortinet publicly disclosed CVE-2025-59718 and CVE-2025-59719, two critical authentication bypass vulnerabilities affecting products that use FortiCloud SSO login, and released fixed versions. The flaws stem from improper verification of cryptographic signatures in SAML messages and can allow unauthenticated administrative access when FortiCloud SSO is enabled.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Affected Products
Sources
5 more from sources like arctic wolf blog, the hacker news, securityaffairs and bleeping computer
Related Stories
Fortinet FortiCloud SSO Authentication Bypass Vulnerabilities
Fortinet disclosed two critical authentication bypass vulnerabilities, CVE-2025-59718 and CVE-2025-59719, affecting multiple products including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. These flaws allow unauthenticated attackers to bypass FortiCloud SSO login authentication by sending crafted SAML messages if the FortiCloud SSO feature is enabled. The vulnerabilities are not exploitable by default, but become active when devices are registered to FortiCare with administrative SSO enabled, increasing the risk for organizations that have enabled this feature. No exploitation in the wild or public proof-of-concept code has been reported as of the latest advisories, but security experts warn that threat actors are likely to target these vulnerabilities for initial access in the future. Fortinet and security researchers strongly recommend immediate upgrades to the latest fixed versions for all affected products to mitigate the risk. Detailed version guidance and mitigation steps have been provided to ensure organizations can secure their environments against potential attacks leveraging these flaws.
1 months ago
Critical Fortinet FortiCloud SSO Authentication Bypass Vulnerabilities
Fortinet has disclosed two critical vulnerabilities, CVE-2025-59718 and CVE-2025-59719, affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager products. These flaws stem from improper verification of cryptographic signatures in the FortiCloud SSO login feature, allowing unauthenticated attackers to bypass authentication by sending crafted SAML response messages. The vulnerabilities are remotely exploitable and impact a wide range of product versions, but the FortiCloud SSO login is not enabled by default unless the device is registered to FortiCare and the feature is explicitly activated. Administrators are strongly advised to disable the FortiCloud SSO login feature if enabled and to apply the latest security updates provided by Fortinet. Additional mitigations include using the device's GUI or CLI to turn off administrative login via FortiCloud SSO. Fortinet also addressed other vulnerabilities in the same advisory, but the authentication bypass flaws pose the most immediate risk due to their critical severity and potential for exploitation in the wild. Organizations should prioritize patching and review their FortiCloud SSO configurations to reduce exposure.
1 months ago
Critical Authentication Bypass Vulnerabilities in Fortinet Products via FortiCloud SSO
Fortinet has disclosed and patched two critical authentication bypass vulnerabilities, identified as CVE-2025-59718 and CVE-2025-59719, affecting multiple products including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. These flaws, rated with a CVSS score of 9.1, stem from improper verification of cryptographic signatures in the FortiCloud SSO login process. An unauthenticated attacker could exploit these vulnerabilities by sending a crafted SAML message, potentially gaining unauthorized administrative access if FortiCloud SSO is enabled. By default, FortiCloud SSO is disabled, but it is automatically enabled during FortiCare registration unless the administrator explicitly disables the relevant toggle. Fortinet has released fixed versions for all affected products and strongly recommends that organizations upgrade immediately. As a temporary mitigation, disabling the FortiCloud SSO login feature is advised until the upgrade can be completed. There is currently no evidence of exploitation in the wild, and no public proof-of-concept code is available, but the history of threat actors targeting Fortinet products underscores the urgency of patching. The vulnerabilities impact a range of versions across FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, with unaffected versions and upgrade paths detailed in the advisories.
1 months ago