Executive Summary
In December 2025, threat actors began exploiting two critical authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719, both CVSS 9.8) in Fortinet FortiGate appliances. By targeting the FortiCloud SSO feature—enabled during FortiCare registration—they leveraged crafted SAML messages to gain unauthorized access to admin accounts. Once inside, attackers exported device configuration files, risking credential compromise and broader network infiltration. The U.S. CISA quickly classified the flaws as Known Exploited Vulnerabilities, urging immediate patching.
This incident demonstrates the evolving risk of identity-driven network attacks and rapid exploitation following vulnerability disclosure. With opportunistic threat actors targeting edge infrastructure, similar authentication-based attacks are likely to increase, further incentivized by regulatory and industry pressure for swift vulnerability management.
Why This Matters Now
These exploits show how attackers are rapidly weaponizing authentication vulnerabilities in widely deployed network infrastructure. With critical government directives mandating fixes, organizations must assess SSO exposures and enforce swift patching to prevent opportunistic compromises and downstream breaches.
Attack Path Analysis
Attackers exploited SAML SSO authentication bypass vulnerabilities in externally exposed FortiGate devices to gain unauthorized administrative access. Once inside, they acquired elevated privileges associated with admin accounts, allowing full configuration access. Although explicit lateral movement was not observed, attackers could have pivoted to other internal resources given broad access. Malicious actors established remote control via the management interface to export configurations. Device configuration files were then exfiltrated to attacker-controlled IP addresses. The impact includes potential credential compromise and risk of follow-on attacks, but evidence of destructive activity was not found.
Kill Chain Progression
Initial Compromise
Description
Threat actors exploited FortiGate SAML SSO authentication bypass vulnerabilities (CVE-2025-59718/59719) via exposed management interfaces to gain initial unauthorized access.
Related CVEs
CVE-2025-59718
CVSS 9.8An improper verification of cryptographic signature vulnerability in Fortinet products allows unauthenticated attackers to bypass FortiCloud SSO login authentication via crafted SAML messages.
Affected Products:
Fortinet FortiOS – 7.6.0 through 7.6.3, 7.4.0 through 7.4.8, 7.2.0 through 7.2.11, 7.0.0 through 7.0.17
Fortinet FortiProxy – 7.6.0 through 7.6.3, 7.4.0 through 7.4.10, 7.2.0 through 7.2.14, 7.0.0 through 7.0.21
Fortinet FortiSwitchManager – 7.2.0 through 7.2.6, 7.0.0 through 7.0.5
Exploit Status:
exploited in the wildCVE-2025-59719
CVSS 9.8An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb allows unauthenticated attackers to bypass FortiCloud SSO login authentication via crafted SAML messages.
Affected Products:
Fortinet FortiWeb – 8.0.0, 7.6.0 through 7.6.4, 7.4.0 through 7.4.9
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts
Exploit Public-Facing Application
Modify Authentication Process: Network Device Authentication
Brute Force: Password Spraying
Network Sniffing
Automated Exfiltration
Data from Local System
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Multi-factor Authentication for Access to System Components
Control ID: 8.2.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy and Access Privileges
Control ID: 500.03, 500.07
DORA (Regulation (EU) 2022/2554) – ICT Risk Management & Testing
Control ID: Article 9, Article 10
CISA Zero Trust Maturity Model 2.0 – Enforce Strong Authentication and Least Privilege
Control ID: Identity Pillar: Authentication & Authorization
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Critical exposure to SAML SSO authentication bypass attacks targeting FortiGate network infrastructure, risking customer data breach and regulatory compliance violations.
Health Care / Life Sciences
Fortinet FortiGate vulnerabilities threaten patient data security through network infrastructure compromise, requiring immediate HIPAA compliance remediation and patch deployment.
Government Administration
CISA KEV listing mandates federal agencies patch FortiGate SAML bypass vulnerabilities by December 23, 2025, preventing unauthorized administrative access exploitation.
Information Technology/IT
IT service providers face cascading security risks from FortiGate authentication bypass, threatening client network infrastructures and managed security service integrity.
Sources
- Fortinet FortiGate Under Active Attack Through SAML SSO Authentication Bypasshttps://thehackernews.com/2025/12/fortinet-fortigate-under-active-attack.htmlVerified
- Arctic Wolf Observes Malicious SSO Logins on FortiGate Devices Following Disclosure of CVE-2025-59718 and CVE-2025-59719https://arcticwolf.com/resources/blog-uk/arctic-wolf-observes-malicious-sso-logins-on-fortigate-devices-following-disclosure-of-cve-2025-59718-and-cve-2025-59719/Verified
- Fortinet, Ivanti, and SAP Issue Urgent Patches for Authentication and Code Execution Flawshttps://thehackernews.com/2025/12/fortinet-ivanti-and-sap-issue-urgent.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
CNSF and Zero Trust controls such as strict network segmentation, least-privilege access, inline threat detection, and egress policy enforcement would have significantly reduced the attack surface, rapidly detected misuse, and blocked configuration exfiltration—even if the initial exploit occurred.
Control: Zero Trust Segmentation
Mitigation: Untrusted external access to admin interfaces is blocked or tightly restricted.
Control: Cloud Native Security Fabric (CNSF) — Inline Enforcement
Mitigation: Abuse of administrative permissions is detected through visibility and policy enforcement.
Control: East-West Traffic Security
Mitigation: Unusual internal connections and pivot attempts are blocked or logged for response.
Control: Threat Detection & Anomaly Response
Mitigation: Suspicious remote management sessions are rapidly detected and triggered for response.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound data transfers to unapproved destinations are blocked or flagged for review.
Centralized visibility supports rapid credential rotation and incident remediation.
Impact at a Glance
Affected Business Functions
- Network Security Operations
- User Authentication Services
- Remote Access Management
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of network configurations and administrative credentials due to unauthorized access.
Recommended Actions
Key Takeaways & Next Steps
- • Immediately enforce Zero Trust segmentation and limit management interfaces to trusted networks and users only.
- • Deploy inline threat detection and anomaly response to rapidly flag and quarantine suspicious authentication or administrative actions.
- • Implement strict egress filtering to prevent unauthorized export of sensitive configuration or credential data.
- • Continuously monitor, baseline, and log all cloud and network administrative access for early detection of abuse.
- • Apply the latest security patches, disable unused SSO integrations, and rotate credentials whenever device configurations may be exposed.
