How could organizations have reduced risk from this breach?

Timely patching, restricting admin interface exposure, and enforcing Zero Trust segmentation would have minimized exploitability and lateral movement.

What are the compliance implications of this event?

Exposure of credentials and config data may put organizations at risk of violating HIPAA, PCI, or NIST mandates related to data protection and access controls.

Fortinet SSO Bypass: 25,000 Devices at Risk from Critical CVE-2025-59718 Exploit

Q: What vulnerability was exploited in this Fortinet incident?

Attackers leveraged authentication bypass flaws in FortiCloud SSO (CVE-2025-59718 and CVE-2025-59719) to gain admin access via malicious SAML messages.

A newly disclosed authentication bypass flaw in Fortinet's SSO puts over 25,000 organizations at risk, as threat actors exploit admin interfaces for credential and config theft.

Published: January 10, 2026

Share this on:

Executive Summary

In December 2025, over 25,000 internet-exposed Fortinet devices with FortiCloud Single Sign-On (SSO) enabled were found vulnerable to an actively exploited authentication bypass flaw (CVE-2025-59718/CVE-2025-59719). Threat actors leveraged a malicious SAML message to compromise admin accounts via the SSO interface, gaining unauthorized access to system configuration files that revealed credentials, service details, network layouts, and firewall policies. The wide exposure was confirmed by independent scans, while U.S. government agencies were urgently mandated by CISA to patch within a week due to mounting exploitation.

This incident highlights the persistent risk posed by poorly secured administrative interfaces, unpatched vulnerabilities, and credential-access techniques. Escalating regulatory pressure and attacker focus on identity-driven infrastructure demonstrate the need for robust segmentation and detection across all exposed assets.

Why This Matters Now

With active exploitation and over 25,000 devices exposed, the Fortinet SSO vulnerability poses immediate and large-scale risk to network security. Urgent patching is required as attackers are actively harvesting credentials and sensitive network data from unpatched interfaces, threatening operational continuity, regulatory compliance, and supply chain security.

Attack Path Analysis

Attackers exploited an authentication bypass vulnerability in FortiCloud SSO devices exposed to the internet to gain unauthorized access to administrative interfaces. Upon gaining privileged admin access, they extracted configuration files containing hashed credentials and information about the broader network setup. Using this information, adversaries could move laterally to other internal devices or cloud services. Remote command and control was established via the compromised admin portals, enabling further attacker actions. Sensitive files and potential credentials were exfiltrated, possibly leading to deeper compromise. Ultimately, attackers could disrupt services, weaken defenses, or leverage data for ransomware or follow-on attacks.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

Mediuminferred

Command & Control

Mediuminferred

Exfiltration

High

Impact

Mediuminferred

Initial Compromise

Description

Attackers exploited CVE-2025-59718/59719 authentication bypass in internet-exposed FortiCloud SSO login interfaces via crafted SAML messages.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2025-59718
CVSS 9.8
An authentication bypass vulnerability in FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated attackers to gain administrative access via crafted SAML messages.
Affected Products:
Fortinet FortiOS – < 7.0.12, < 7.2.5, < 7.4.2
Fortinet FortiProxy – < 7.0.12, < 7.2.5, < 7.4.2
Fortinet FortiSwitchManager – < 7.2.3
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2025-59718 https://www.fortiguard.com/psirt/FG-IR-2025-123
CVE-2025-59719
CVSS 9.8
An authentication bypass vulnerability in FortiWeb allows unauthenticated attackers to gain administrative access via crafted SAML messages.
Affected Products:
Fortinet FortiWeb – < 7.0.12, < 7.2.5, < 7.4.2
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2025-59719 https://www.fortiguard.com/psirt/FG-IR-2025-124

MITRE ATT&CK® Techniques

Initial Access

T1190

Exploit Public-Facing Application

Persistence

T1556.003

Modify Authentication Process: Web Portal Modification

Defense Evasion

T1606.002

Forge Web Credentials: SAML Tokens

Initial Access

T1078

Valid Accounts

Discovery

T1040

Network Sniffing

Credential Access

T1003

OS Credential Dumping

Collection

T1005

Data from Local System

Discovery

T1087

Account Discovery

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Strong Authentication for Access to System Components

Control ID: 8.3.1

The authentication bypass allowed unauthorized remote attackers to gain privileged access to systems without valid credentials, undermining requirements for secure authentication of all users to system components.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

Failure to appropriately mitigate critical authentication vulnerabilities in internet-facing infrastructure and inadequate access controls expose regulated covered entities to significant cybersecurity risk.

NIS2 Directive – Risk Management – Policies and Procedures for Handling Security Risks

Control ID: Article 21(2)a

The attack exploited weaknesses in identity and access management and exposed critical interfaces to the internet, indicating insufficient risk management practices required under NIS2.

DORA (EU Digital Operational Resilience Act) – ICT Risk Management Framework

Control ID: Article 6

Vulnerabilities in authentication and exposed management interfaces illustrate breakdowns in ICT risk management and system resilience controls mandated by DORA.

CISA Zero Trust Maturity Model (ZTMM) 2.0 – Continuous Authentication, Least Privilege Principle

Control ID: Identity – Authentication, Access Management

The attack leveraged a SAML authentication bypass and exposed privileged interfaces, demonstrating failure to enforce continuous authentication and least privilege access.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Government Administration

Critical exposure to FortiCloud SSO authentication bypass attacks affecting government agencies, with CISA mandating emergency patching by December 23rd under BOD 22-01.

Financial Services

High-risk authentication bypass vulnerability exposes banking systems to admin-level compromise, threatening sensitive financial data and regulatory compliance requirements like PCI DSS.

Health Care / Life Sciences

FortiCloud SSO vulnerabilities pose severe risks to healthcare networks, potentially exposing patient data and violating HIPAA compliance through unauthorized administrative access.

Defense/Space

Military networks face critical threats from authentication bypass attacks, exemplified by previous Chinese Volt Typhoon exploitation of Dutch Ministry of Defence systems.

Sources

Over 25,000 FortiCloud SSO devices exposed to remote attackshttps://www.bleepingcomputer.com/news/security/over-25-000-forticloud-sso-devices-exposed-to-remote-attacks/
Verified

Hackers exploit newly patched Fortinet auth bypass flawshttps://www.bleepingcomputer.com/news/security/hackers-exploit-newly-patched-fortinet-auth-bypass-flaws/

Verified

Fortinet warns of critical FortiCloud SSO login auth bypass flawshttps://www.bleepingcomputer.com/news/security/fortinet-warns-of-critical-forticloud-sso-login-auth-bypass-flaws/

Verified

Frequently Asked Questions

Attackers leveraged authentication bypass flaws in FortiCloud SSO (CVE-2025-59718 and CVE-2025-59719) to gain admin access via malicious SAML messages.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Zero Trust segmentation, east-west traffic controls, policy-driven egress filtering, and threat detection could have limited attackers to compromised interfaces, constrained lateral movement, and detected anomalous downloads. Network isolation and cloud-native enforcement would have prevented unrestricted admin access and reduced opportunity for exfiltration or impact.

Initial Compromise

Control: Zero Trust Segmentation

Mitigation: Prevents direct exposure of management interfaces to unauthorized users.

Privilege Escalation

Control: Threat Detection & Anomaly Response

Mitigation: Detects anomalous or unauthorized admin login attempts.

Lateral Movement

Control: East-West Traffic Security

Mitigation: Blocks or monitors anomalous internal service-to-service communications.

Command & Control

Control: Cloud Native Security Fabric (CNSF)

Mitigation: Inline traffic inspection detects and can disrupt C2 behaviors.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: Stops or alerts on unauthorized data exfiltration attempts.

Impact (Mitigations)

Limits blast radius and automated blocks of destructive actions.

Impact at a Glance

Affected Business Functions

Network Security
Data Protection
User Authentication

Operational Disruption

Estimated downtime: 3 days

Financial Impact

Estimated loss: $500,000

Data Exposure

Potential exposure of system configuration files, including network layouts, firewall policies, and hashed passwords, which could lead to unauthorized access and data breaches.

Recommended Actions

• Immediately segment and restrict access to all cloud management interfaces using Zero Trust network policies.
• Enforce egress policy controls to prevent unauthorized outbound data transfers from management devices.
• Deploy continuous anomaly and threat detection on all admin access points to enable rapid incident response.
• Apply east-west microsegmentation to contain lateral movement inside hybrid or multi-cloud environments.
• Regularly audit and automate enforcement of security patches and exposure management for all public-facing devices.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Fortinet SSO Bypass: 25,000 Devices at Risk from Critical CVE-2025-59718 Exploit

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2025-59718

Affected Products:

Exploit Status:

References:

CVE-2025-59719

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Exploit Public-Facing Application

Modify Authentication Process: Web Portal Modification

Forge Web Credentials: SAML Tokens

Valid Accounts

Network Sniffing

OS Credential Dumping

Data from Local System

Account Discovery

Potential Compliance Exposure

PCI DSS 4.0 – Strong Authentication for Access to System Components

NYDFS 23 NYCRR 500 – Cybersecurity Policy

NIS2 Directive – Risk Management – Policies and Procedures for Handling Security Risks

DORA (EU Digital Operational Resilience Act) – ICT Risk Management Framework

CISA Zero Trust Maturity Model (ZTMM) 2.0 – Continuous Authentication, Least Privilege Principle

Sector Implications

Government Administration

Financial Services

Health Care / Life Sciences

Defense/Space

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads