Executive Summary
In December 2025, over 25,000 internet-exposed Fortinet devices with FortiCloud Single Sign-On (SSO) enabled were found vulnerable to an actively exploited authentication bypass flaw (CVE-2025-59718/CVE-2025-59719). Threat actors leveraged a malicious SAML message to compromise admin accounts via the SSO interface, gaining unauthorized access to system configuration files that revealed credentials, service details, network layouts, and firewall policies. The wide exposure was confirmed by independent scans, while U.S. government agencies were urgently mandated by CISA to patch within a week due to mounting exploitation.
This incident highlights the persistent risk posed by poorly secured administrative interfaces, unpatched vulnerabilities, and credential-access techniques. Escalating regulatory pressure and attacker focus on identity-driven infrastructure demonstrate the need for robust segmentation and detection across all exposed assets.
Why This Matters Now
With active exploitation and over 25,000 devices exposed, the Fortinet SSO vulnerability poses immediate and large-scale risk to network security. Urgent patching is required as attackers are actively harvesting credentials and sensitive network data from unpatched interfaces, threatening operational continuity, regulatory compliance, and supply chain security.
Attack Path Analysis
Attackers exploited an authentication bypass vulnerability in FortiCloud SSO devices exposed to the internet to gain unauthorized access to administrative interfaces. Upon gaining privileged admin access, they extracted configuration files containing hashed credentials and information about the broader network setup. Using this information, adversaries could move laterally to other internal devices or cloud services. Remote command and control was established via the compromised admin portals, enabling further attacker actions. Sensitive files and potential credentials were exfiltrated, possibly leading to deeper compromise. Ultimately, attackers could disrupt services, weaken defenses, or leverage data for ransomware or follow-on attacks.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited CVE-2025-59718/59719 authentication bypass in internet-exposed FortiCloud SSO login interfaces via crafted SAML messages.
Related CVEs
CVE-2025-59718
CVSS 9.8An authentication bypass vulnerability in FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated attackers to gain administrative access via crafted SAML messages.
Affected Products:
Fortinet FortiOS – < 7.0.12, < 7.2.5, < 7.4.2
Fortinet FortiProxy – < 7.0.12, < 7.2.5, < 7.4.2
Fortinet FortiSwitchManager – < 7.2.3
Exploit Status:
exploited in the wildCVE-2025-59719
CVSS 9.8An authentication bypass vulnerability in FortiWeb allows unauthenticated attackers to gain administrative access via crafted SAML messages.
Affected Products:
Fortinet FortiWeb – < 7.0.12, < 7.2.5, < 7.4.2
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Modify Authentication Process: Web Portal Modification
Forge Web Credentials: SAML Tokens
Valid Accounts
Network Sniffing
OS Credential Dumping
Data from Local System
Account Discovery
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Access to System Components
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
NIS2 Directive – Risk Management – Policies and Procedures for Handling Security Risks
Control ID: Article 21(2)a
DORA (EU Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 6
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Continuous Authentication, Least Privilege Principle
Control ID: Identity – Authentication, Access Management
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Critical exposure to FortiCloud SSO authentication bypass attacks affecting government agencies, with CISA mandating emergency patching by December 23rd under BOD 22-01.
Financial Services
High-risk authentication bypass vulnerability exposes banking systems to admin-level compromise, threatening sensitive financial data and regulatory compliance requirements like PCI DSS.
Health Care / Life Sciences
FortiCloud SSO vulnerabilities pose severe risks to healthcare networks, potentially exposing patient data and violating HIPAA compliance through unauthorized administrative access.
Defense/Space
Military networks face critical threats from authentication bypass attacks, exemplified by previous Chinese Volt Typhoon exploitation of Dutch Ministry of Defence systems.
Sources
- Over 25,000 FortiCloud SSO devices exposed to remote attackshttps://www.bleepingcomputer.com/news/security/over-25-000-forticloud-sso-devices-exposed-to-remote-attacks/Verified
- Hackers exploit newly patched Fortinet auth bypass flawshttps://www.bleepingcomputer.com/news/security/hackers-exploit-newly-patched-fortinet-auth-bypass-flaws/Verified
- Fortinet warns of critical FortiCloud SSO login auth bypass flawshttps://www.bleepingcomputer.com/news/security/fortinet-warns-of-critical-forticloud-sso-login-auth-bypass-flaws/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic controls, policy-driven egress filtering, and threat detection could have limited attackers to compromised interfaces, constrained lateral movement, and detected anomalous downloads. Network isolation and cloud-native enforcement would have prevented unrestricted admin access and reduced opportunity for exfiltration or impact.
Control: Zero Trust Segmentation
Mitigation: Prevents direct exposure of management interfaces to unauthorized users.
Control: Threat Detection & Anomaly Response
Mitigation: Detects anomalous or unauthorized admin login attempts.
Control: East-West Traffic Security
Mitigation: Blocks or monitors anomalous internal service-to-service communications.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Inline traffic inspection detects and can disrupt C2 behaviors.
Control: Egress Security & Policy Enforcement
Mitigation: Stops or alerts on unauthorized data exfiltration attempts.
Limits blast radius and automated blocks of destructive actions.
Impact at a Glance
Affected Business Functions
- Network Security
- Data Protection
- User Authentication
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of system configuration files, including network layouts, firewall policies, and hashed passwords, which could lead to unauthorized access and data breaches.
Recommended Actions
Key Takeaways & Next Steps
- • Immediately segment and restrict access to all cloud management interfaces using Zero Trust network policies.
- • Enforce egress policy controls to prevent unauthorized outbound data transfers from management devices.
- • Deploy continuous anomaly and threat detection on all admin access points to enable rapid incident response.
- • Apply east-west microsegmentation to contain lateral movement inside hybrid or multi-cloud environments.
- • Regularly audit and automate enforcement of security patches and exposure management for all public-facing devices.
