Urgent warning: Hackers are exploiting Fortinet vulnerabilities to gain administrative rights
An attack campaign took place just days after the vulnerability was announced, putting a series of systems at risk and taking over Fortinet
Overview
On December 16, 2025, a new attack campaign is quietly targeting Fortinet FortiGate devices, directly exploiting the recently disclosed critical SSO authentication vulnerabilities. Worryingly, in-the-wild exploits have appeared very shortly after the vulnerability information was released, indicating the readiness and rapid weaponization capability of attack groups.
Instead of using complex intrusion techniques, the attackers focus on bypassing the Single Sign-On (SSO) authentication mechanism—a feature designed to enhance convenience for administrators. By exploiting errors in SAML processing, they can bypass legitimate login steps, directly access the FortiGate management interface, and perform dangerous actions such as exporting the entire device configuration.
This analysis will delve into the nature of the vulnerability, real-world exploitation methods, potential impacts on organizations, and provide practical response recommendations to help IT and SOC teams mitigate risks during this sensitive time.
Severity Assessment
Two vulnerabilities actively exploited by attackers in this campaign are identified as CVE-2025-59718 and CVE-2025-59719.
CVE-2025-59718
CVE-2025-59718 is a very serious vulnerability in the authentication bypass category with the following ratings:
NIST: NVD Base Score: N/A.
CNA: Patchstack Base Score: 9.8 - CRITICAL Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
CVE-2025-59719
CVE-2025-59719 is a Critical authentication bypass vulnerability affecting FortiWeb versions when the FortiCloud SSO (Single Sign-On) feature is enabled, with the following ratings:
NIST: NVD Base Score: N/A.
CNA: Patchstack Base Score: 9.8 - CRITICAL Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
Scope of Impact
The campaign exploiting the vulnerabilities CVE-2025-59718 and CVE-2025-59719 has a broad and dangerous impact, targeting many of Fortinet's key products, including:
FortiGate – firewall and network gateway, often serving as the first line of defense.
FortiProxy – secure proxy device.
FortiSwitchManager – switch management platform.
FortiWeb – Web Application Firewall (WAF).
Group of vulnerabilities CVE-2025-59718
FortiOS (FortiGate)
7.0.x: từ 7.0.0 → 7.0.17
7.2.x: từ 7.2.0 → 7.2.11
7.4.x: từ 7.4.0 → 7.4.8
7.6.x: từ 7.6.0 → 7.6.3
FortiProxy
7.0.x → 7.0.17
7.2.x → 7.2.11
7.4.x → 7.4.8
7.6.x → 7.6.3
FortiSwitchManager
7.0.x → 7.0.6
7.2.x → 7.2.6
Group of vulnerabilities CVE-2025-59719
FortiWeb
8.0.0
7.6.x: từ 7.6.0 → 7.6.4
7.4.x: từ 7.4.0 → 7.4.9
Cause of the vulnerability
The root cause of the CVE-2025-59718 and CVE-2025-59719 vulnerabilities stems from a logic error in the FortiCloud SSO authentication mechanism, specifically in the processing and verification of SAML (Security Assertion Markup Language) messages.
Incomplete SAML Signature Verification (Root Cause)
This can be seen as the core reason for this campaign, where the affected Fortinet products did not properly or fully check the cryptographic signature of the SAML response provided by FortiCloud SSO. This inadvertently led to:
The device incorrectly trusting the authentication source
Accepting forged SAML responses created by attackers
Allowing the login process to be completed without valid credentials
Exploitation Scenario
To better understand, let's go through a scenario exploiting this chain of vulnerabilities. The attack campaign takes advantage of the authentication bypass vulnerability in FortiCloud SSO, following a model of direct attack – no authentication needed – focusing on edge devices.
First, the attacker will scan the Internet to find FortiGate / FortiWeb / FortiProxy devices exposed to the Internet, as well as the management ports (HTTPS/SSL VPN). From there, they will gather data such as:
FortiOS/FortiWeb version
Indication that FortiCloud SSO is enabled
After identifying a suitable target, the attacker will create a forged SAML Response, in which they:
Self-assign the user's identity (e.g., admin)
Insert attributes that are valid in format
Right from the start, as analyzed, the device does not fully verify the SAML signature and does not correctly check the issuer/audience. This inadvertently allows attackers to easily bypass authentication.
The attacker will send a forged SAML response (prepared as mentioned above) to the SSO endpoint of the Fortinet device. Here, due to the vulnerability, the device believes the request is valid from FortiCloud and completes the login process without a password. As a result, the attacker gains Initial Access with administrative privileges.
After gaining access to the GUI or admin API, the attacker will export the full configuration and collect some important data:
User accounts & password hashes
VPN credentials
Firewall rules, routing
Network topology
Once inside the system, the attacker continues to maintain access by creating a hidden Admin account. Additionally, they will install a backdoor, set up policies to allow access from the attacker's IP, and create unauthorized VPN tunnels.
Finally, the attacker will use the configuration information above to:
Access internal VPN
Attack backend servers
All of this has effectively turned the Fortinet device into a pivot point for APT. Naturally, once the attack is complete, the attacker will delete or tamper with logs to evade analysts. They will wait for the right moment to exploit again if the system remains unpatched.
Recommendations
Update patches IMMEDIATELY (Highest priority)
Upgrade Fortinet devices to the officially patched version released by Fortinet.
Do not delay updates just because "the system is stable" – current campaigns show hackers do not need passwords to infiltrate.
For large production environments:
Prioritize patching Internet-facing devices
Follow this order: FortiGate → FortiWeb → FortiProxy
Reference update link: PSIRT | FortiGuard Labs
Disable FortiCloud SSO if not patched
Turn off FortiCloud SSO on all Fortinet devices if:
Not used frequently
Or unable to upgrade in time
Check carefully because FortiCloud SSO:
May be enabled silently after registering FortiCare
Many admins did not actively enable it but are still affected
Minimize access to the admin interface
Do not expose the Fortinet admin interface directly to the Internet
Apply these measures:
Allow access only from whitelisted IPs
Admin access through VPN or Bastion Host
Use MFA for all admin accounts
Change all related credentials
In case the device may have been compromised:
Change:
Fortinet admin passwords
VPN accounts
API keys, integration tokens
Conclusion
The campaign exploiting vulnerabilities CVE-2025-59718 and CVE-2025-59719 once again highlights a worrying reality: network devices and firewalls, which are considered the last line of defense, are becoming priority targets for hackers. When core authentication mechanisms like SSO are bypassed, all subsequent layers of protection become nearly meaningless.
The danger of this campaign lies not only in the severity of the vulnerabilities but also in the fact that exploitation occurs quickly, silently, and without authentication. Many organizations may have been breached without even realizing it, while Fortinet devices continue to operate “normally” on the surface.
This incident also reflects a clear trend in the current threat landscape: hackers are shifting their focus to edge devices and network infrastructure, where compromising a single point can expose the entire system behind it. Convenient features like FortiCloud SSO, if not managed and updated in a timely manner, can quickly become critical weaknesses.
