FortiGate Devices Targeted After Disclosure of Critical SAML Authentication Bypasses

Two newly patched vulnerabilities in Fortinet products are being actively exploited by threat actors to gain unauthorized access to administrative interfaces.

The flaws, CVE-2025-59718 and CVE-2025-59719, allow attackers to bypass Single Sign-On (SSO) authentication by manipulating SAML assertions. Although patches were released in early December, attacks were observed within days of disclosure, affecting systems where FortiCloud SSO is enabled.

The SSO feature is disabled by default but is enabled automatically during the FortiCare registration process unless system administrators disable it manually. Cybersecurity company Arctic Wolf has observed that attackers are using this entry point to log in as admin users, extract data, and potentially gather credentials for further intrusion.

Fortinet has advised users to update their devices and deactivate the feature if patches cannot be applied immediately.

Why It Matters: This attack campaign takes advantage of a narrow vulnerability window that creates risk due to default registration settings. Organizations using Fortinet devices are advised to take urgent action, as attackers are already obtaining privileged access and exporting configurations that could be used in future compromises.

• Authentication Bypass Enables Admin Access Without Credentials: The two vulnerabilities allow attackers to gain full administrative control by submitting specially crafted SAML messages. These bypass the intended authentication checks due to flaws in signature verification, affecting several Fortinet products. The ability to completely skip login requirements presents a serious threat, particularly in environments where these devices serve as a security perimeter.

• FortiCloud SSO Activated Automatically Without User Input: FortiCloud SSO is enabled during the FortiCare registration process unless users take the extra step of manually disabling it. This creates a situation where administrators may not realize the feature is active, thereby unknowingly exposing their systems to unauthorized login attempts. Fortinet emphasizes that this setting should be reviewed immediately.

• Active Exploitation and Exfiltration of Sensitive Configuration Files: Security analysts reported that attackers are using IP addresses from known hosting providers to access Fortinet admin portals and export configuration files through the web interface. These files contain important information, such as network topologies, firewall policies, and hashed passwords, which could be cracked offline if they are not sufficiently strong. The activity is still being investigated, but evidence suggests malicious intent rather than benign scanning.

• Potential for Follow-Up Attacks Based on Extracted Data: Once attackers obtain configuration files, they gain insight into how a network is designed, including which services are exposed externally and what protections are in place. This level of information allows attackers to plan and launch further attacks if weak credentials are stored within the exported data. Fortinet advises customers to rotate all stored passwords and review any signs of tampering in administrative logs.

• Patch Guidance and Recommended Versions to Mitigate the Exploits: Fortinet has released patched versions for all affected products. Customers should upgrade to FortiOS 7.6.4 or later, FortiWeb 8.0.1 or later, and other corresponding secure versions listed in the vendor’s advisory. As a temporary measure, administrators can disable FortiCloud SSO by setting “Allow administrative login using FortiCloud SSO” to Off in the system settings. Organizations should also restrict access to the management interface from external networks to limit potential attack vectors.

Go Deeper -> Hackers exploit newly patched Fortinet auth bypass flaws – BleepingComputer

Fortinet FortiGate Under Active Attack Through SAML SSO Authentication Bypass – The Hacker News