Two critical authentication bypass vulnerabilities in Fortinet's FortiCloud SSO are being actively exploited in the wild, putting approximately 30,000 Internet-exposed Fortinet instances at immediate risk. If your organization relies on FortiGate firewalls, FortiProxy, FortiWeb WAFs, or FortiSwitchManager, you need to act now.

What Happened

On December 9, 2025, Fortinet released patches for two critical vulnerabilities—CVE-2025-59718 and CVE-2025-59719—affecting its FortiCloud Single Sign-On (SSO) implementation. Both vulnerabilities carry a CVSS score of 9.8 (Critical), the near-maximum severity rating.

Within just four days of disclosure, security researchers began observing active exploitation attempts. According to Rapid7's threat intelligence team, exploitation activity was detected against honeypots starting December 13, 2025. The attacks are not theoretical—they're happening right now.

Recognizing the severity, CISA added CVE-2025-59718 to its Known Exploited Vulnerabilities (KEV) catalog on December 16, 2025, mandating federal agencies to patch within strict timelines and signaling to private organizations the urgency of remediation.

Technical Details

Both vulnerabilities target Fortinet's SAML-based authentication mechanism within FortiCloud SSO. Here's how they work:

CVE-2025-59718 exploits improper validation of SAML assertions during the authentication flow. An unauthenticated remote attacker can craft malicious SAML responses that the affected Fortinet products accept as legitimate, effectively bypassing the entire authentication process.

CVE-2025-59719 compounds this issue through a related flaw in session token handling post-authentication. When chained together, these vulnerabilities allow attackers to gain full administrative access to affected devices without any credentials.

According to Dataminr's intelligence brief, attackers are following a consistent post-exploitation pattern: immediately after gaining access, they download system configuration files containing hashed credentials. This suggests threat actors are building credential databases for future attacks or lateral movement within compromised networks.

The affected products include:

  • FortiOS (FortiGate firewalls)
  • FortiProxy
  • FortiWeb Web Application Firewalls
  • FortiSwitchManager

Impact Assessment

The scope of this vulnerability is substantial. VulnCheck and Dataminr analysis identified approximately 30,000 Internet-exposed Fortinet instances with FortiCloud SSO enabled that are potentially vulnerable.

The implications are severe:

Direct compromise: Attackers gaining administrative access to firewalls can disable security controls, create backdoor accounts, intercept traffic, or pivot deeper into internal networks.

Supply-chain risk: Fortinet devices often sit at the network perimeter, protecting critical infrastructure. A compromised firewall isn't just one breached device—it's a gateway to everything behind it.

Credential harvesting: The observed behavior of downloading configuration files with hashed credentials suggests attackers are planning persistent access or credential-stuffing campaigns against other systems.

Organizations in healthcare, finance, government, and critical infrastructure sectors—where Fortinet deployments are common—face elevated risk. The H-ISAC has issued alerts to healthcare organizations specifically.

What You Should Do

1. Patch immediately. Fortinet released patches on December 9, 2025. If you haven't applied them yet, do so now. Check Fortinet's security advisory for specific version numbers.

2. If patching isn't immediately possible, disable FortiCloud SSO. This is the recommended temporary mitigation. Switch to local authentication or alternative SSO providers until patches can be deployed.

3. Audit for compromise indicators. Review administrative account activity, check for newly created accounts, examine configuration change logs, and look for unusual configuration file access patterns.

4. Rotate credentials. If you suspect any exposure, rotate all administrative credentials for affected Fortinet devices and any credentials stored in device configurations.

5. Monitor network traffic. Watch for anomalous outbound connections from Fortinet devices, particularly to unknown external IPs.

6. Review exposure. Verify whether your Fortinet management interfaces are Internet-accessible. If they don't need to be, restrict access to trusted networks immediately.

Lessons Learned

This incident reinforces several critical security principles:

Perimeter devices are high-value targets. Firewalls, VPNs, and other edge security devices are increasingly targeted precisely because compromising them provides maximum impact. The security of your security infrastructure deserves special attention.

Patch velocity matters. The 4-day window between patch release and active exploitation demonstrates that threat actors are watching vendor advisories closely. Organizations need processes that can deploy critical patches within hours, not weeks.

Defense in depth remains essential. Organizations with network segmentation, robust logging, and anomaly detection are better positioned to detect and contain breaches even when perimeter devices fail.

SSO implementations require scrutiny. Centralized authentication systems are attractive targets because a single vulnerability can unlock access to multiple systems. Regular security assessments of SSO configurations should be standard practice.

Resources

This is a developing situation. We will update this article as new information becomes available.