Critical FortiGate SSO Flaw Under Active Exploitation: Attackers Bypass Auth and Exfiltrate Configs

A critical security crisis is unfolding for Fortinet administrators this week. Just days after the vendor disclosed two high-severity vulnerabilities, threat actors have begun actively exploiting them to bypass authentication on FortiGate appliances. A new report from Arctic Wolf confirms that starting December 12, 2025, attackers are leveraging these flaws to log in as administrators via Single Sign-On (SSO) and exfiltrate sensitive system configurations.

The attacks target CVE-2025-59718 and CVE-2025-59719, both rated with a critical CVSS score of 9.1. These vulnerabilities allow an unauthenticated attacker to bypass SSO login protections using crafted SAML messages—effectively walking through the front door without a key.

What makes this campaign particularly dangerous is a subtle configuration behavior that many administrators may have missed. While Fortinet’s advisory notes that the vulnerable FortiCloud SSO feature is disabled by default in factory settings, real-world deployments tell a different story.

Arctic Wolf researchers highlighted a critical caveat: “However, when administrators register devices using FortiCare through the GUI, FortiCloud SSO is enabled upon registration unless the ‘Allow administrative login using FortiCloud SSO’ setting is disabled on the registration page”.

This means that standard onboarding procedures effectively arm the vulnerability, leaving the device exposed unless the administrator explicitly intervenes.

The intrusion attempts observed by Arctic Wolf follow a distinct pattern. Attackers are originating from specific hosting providers—including The Constant Company LLC, Bl Networks, and Kaopu Cloud Hk Limited—and targeting the admin account directly.

The report captures the moment of compromise in system logs:

“Malicious logins were typically against the admin account… logdesc=’Admin login successful’ … method=’sso'” .

Once inside, the attackers immediately pivot to data theft. “Following malicious SSO logins, configurations were exported to the same IP addresses via the GUI interface”. This exfiltration is catastrophic because firewall configurations often contain hashed credentials for VPN users and other local accounts.

Administrators are urged to upgrade to the latest fixed versions immediately (e.g., FortiOS 7.6.4, 7.4.9, 7.2.12, or 7.0.18).

For those who cannot patch immediately, a critical workaround exists. You can disable the vulnerable feature via the Command Line Interface (CLI):

config system global
set admin-forticloud-sso-login disable
end

Related Posts:

• Fortinet FortiGate Firewalls Targeted in Sophisticated Campaign Exploiting Management Interfaces
• Akamai Unveils New VPN Post-Exploitation Techniques: Major Vulnerabilities Discovered in Ivanti and FortiGate VPNs
• Sophisticated Okta SSO Phishing Bypasses Defenses to Steal Session Tokens With Salary Review Lures