{"id":9239,"date":"2025-12-16T10:03:40","date_gmt":"2025-12-16T10:03:40","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/12\/16\/critical-fortigate-devices-sso-vulnerabilities-actively-exploited-in-the-wild\/"},"modified":"2025-12-16T10:03:40","modified_gmt":"2025-12-16T10:03:40","slug":"critical-fortigate-devices-sso-vulnerabilities-actively-exploited-in-the-wild","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/12\/16\/critical-fortigate-devices-sso-vulnerabilities-actively-exploited-in-the-wild\/","title":{"rendered":"Critical FortiGate Devices SSO Vulnerabilities Actively Exploited in the Wild"},"content":{"rendered":"

Critical FortiGate Devices SSO Vulnerabilities Actively Exploited in the Wild
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

An active intrusion is targeting critical authentication bypass vulnerabilities in Fortinet\u2019s FortiGate appliances and related products.<\/p>\n

Threat actors are exploiting CVE-2025-59718 and CVE-2025-59719 to perform unauthenticated single sign-on (SSO)<\/a> logins via malicious SAML messages, granting attackers administrative access.<\/p>\n

Fortinet disclosed the flaws in a PSIRT advisory on December 9, 2025. Arctic Wolf quickly followed with its own security bulletin, urging immediate patching.<\/p>\n

The vulnerabilities affect multiple product lines, FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, when FortiCloud SSO is enabled.<\/p>\n

FortiCloud SSO<\/a> login remains disabled by default in factory settings. However, it activates automatically during device registration via FortiCare GUI unless administrators explicitly disable the \u201cAllow administrative login using FortiCloud SSO\u201d option. This common oversight exposes internet-facing devices to remote exploitation.<\/p>\n

Once enabled, attackers craft SAML assertions to bypass authentication entirely. Arctic Wolf reports<\/a> intrusions originating from a limited set of IP addresses assigned to providers such as The Constant Company LLC and Kaopu Cloud HK Limited. These actors primarily target the default \u201cadmin\u201d account.<\/p>\n

\n\n\n\n\n\n\n\n\n\n\n\n
IOC<\/th>\nHosting Provider<\/th>\n<\/tr>\n<\/thead>\n
45.32.153[.]218<\/td>\nThe Constant Company LLC<\/td>\n<\/tr>\n
167.179.76[.]111<\/td>\nThe Constant Company LLC<\/td>\n<\/tr>\n
199.247.7[.]82<\/td>\nThe Constant Company LLC<\/td>\n<\/tr>\n
45.61.136[.]7<\/td>\nBl Networks<\/td>\n<\/tr>\n
38.54.88[.]203<\/td>\nKaopu Cloud HK Limited<\/td>\n<\/tr>\n
38.54.95[.]226<\/td>\nKaopu Cloud HK Limited<\/td>\n<\/tr>\n
38.60.212[.]97<\/td>\nKaopu Cloud HK Limited<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

A sample log from a compromised FortiGate shows a successful SSO login:
date=2025-12-12 time=REDACTED ... logid=\"0100032001\" ... user=\"admin\" ui=\"sso(199.247.7[.]82)\" method=\"sso\" srcip=199.247.7[.]82 ... action=\"login\" status=\"success\" ...<\/code><\/p>\n

Post-login, attackers exported device configurations via GUI from the same IPs, as evidenced by:
date=2025-12-12 time=REDACTED ... logid=\"0100032095\" ... action=\"download\" ... msg=\"System config file has been downloaded by user admin via GUI(199.247.7[.]82)\"<\/code><\/p>\n

Arctic Wolf\u2019s managed detection and response (MDR) platform identifies these patterns and continues alerting affected customers.<\/p>\n

Fortinet has released<\/a> fixed versions across branches. Products like FortiOS 6.4, FortiWeb 7.0, and FortiWeb 7.2 remain unaffected.<\/p>\n

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Product<\/th>\nAffected Versions<\/th>\nFixed Version<\/th>\n<\/tr>\n<\/thead>\n
FortiOS 7.6<\/td>\n7.6.0 \u2013 7.6.3<\/td>\n7.6.4+<\/td>\n<\/tr>\n
FortiOS 7.4<\/td>\n7.4.0 \u2013 7.4.8<\/td>\n7.4.9+<\/td>\n<\/tr>\n
FortiOS 7.2<\/td>\n7.2.0 \u2013 7.2.11<\/td>\n7.2.12+<\/td>\n<\/tr>\n
FortiOS 7.0<\/td>\n7.0.0 \u2013 7.0.17<\/td>\n7.0.18+<\/td>\n<\/tr>\n
FortiProxy 7.6<\/td>\n7.6.0 \u2013 7.6.3<\/td>\n7.6.4+<\/td>\n<\/tr>\n
FortiProxy 7.4<\/td>\n7.4.0 \u2013 7.4.10<\/td>\n7.4.11+<\/td>\n<\/tr>\n
FortiProxy 7.2<\/td>\n7.2.0 \u2013 7.2.14<\/td>\n7.2.15+<\/td>\n<\/tr>\n
FortiProxy 7.0<\/td>\n7.0.0 \u2013 7.0.21<\/td>\n7.0.22+<\/td>\n<\/tr>\n
FortiSwitchManager 7.2<\/td>\n7.2.0 \u2013 7.2.6<\/td>\n7.2.7+<\/td>\n<\/tr>\n
FortiSwitchManager 7.0<\/td>\n7.0.0 \u2013 7.0.5<\/td>\n7.0.6+<\/td>\n<\/tr>\n
FortiWeb 8.0<\/td>\n8.0.0<\/td>\n8.0.1+<\/td>\n<\/tr>\n
FortiWeb 7.6<\/td>\n7.6.0 \u2013 7.6.4<\/td>\n7.6.5+<\/td>\n<\/tr>\n
FortiWeb 7.4<\/td>\n7.4.0 \u2013 7.4.9<\/td>\n7.4.10+<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

If malicious logs appear, reset all firewall credentials immediately. Even hashed passwords in exported configs remain vulnerable to offline dictionary attacks on weak secrets.<\/p>\n

Restrict management interfaces to trusted internal networks only. Arctic Wolf has tracked repeated campaigns<\/a> hitting Fortinet and similar appliances, often via exposed search engines.<\/p>\n

As a temporary workaround, disable FortiCloud SSO: Navigate to System > Settings and toggle \u201cAllow administrative login using FortiCloud SSO\u201d to Off, or run CLI:<\/p>\n

textconfig system global\nset admin-forticloud-sso-login disable\nend\n<\/code><\/pre>\n
Organizations should prioritize upgrades amid rising firewall targeting. Arctic Wolf emphasizes vigilance, with ongoing detections in place.<\/p>\n
Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n
The post Critical FortiGate Devices SSO Vulnerabilities Actively Exploited in the Wild<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n
 \t

\n 
<\/BR>
\n    Abinaya
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n 
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"
Critical FortiGate Devices SSO Vulnerabilities Actively Exploited in the Wild An active intrusion is targeting critical authentication bypass vulnerabilities in Fortinet\u2019s FortiGate appliances and related products. Threat actors are exploiting CVE-2025-59718 and CVE-2025-59719 to perform unauthenticated single sign-on (SSO) logins via malicious SAML messages, granting attackers administrative access. Fortinet disclosed the flaws in a PSIRT […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,2169,124,131,648],"tags":[130],"class_list":["post-9239","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-exploit","category-phishing","category-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9239"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=9239"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9239\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=9239"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=9239"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=9239"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}