Fortinet's FortiGate Under Siege: Critical SSO Flaws Under Attack
A critical security threat is unfolding as malicious actors actively exploit severe vulnerabilities in Fortinet's FortiGate devices, compromising authentication and granting unauthorized access.
The attack involves leveraging CVE-2025-59718 and CVE-2025-59719, allowing attackers to perform single sign-on (SSO) without authentication. By crafting malicious SAML messages, they gain administrative privileges, a serious breach of security. But here's where it gets controversial: these vulnerabilities were only recently disclosed by Fortinet, yet threat actors are already exploiting them in the wild.
Fortinet's PSIRT advisory on December 9, 2025, revealed these flaws, prompting Arctic Wolf to issue a security bulletin urging immediate action. The vulnerabilities affect a range of products, including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, when FortiCloud SSO is enabled. This feature is disabled by default, but it's automatically activated during device registration, unless manually disabled by administrators.
This oversight has left devices exposed to remote attacks. Attackers can now bypass authentication and access sensitive data. Intrusions have been traced back to specific IP addresses associated with The Constant Company LLC and Kaopu Cloud HK Limited. These actors target the default admin account, a critical vulnerability.
Log evidence reveals successful SSO logins and subsequent data exfiltration. Compromised FortiGate logs show attackers exporting device configurations, a serious breach. Arctic Wolf's MDR platform detects these patterns, alerting affected users.
Fortinet has released patches for affected products, but the damage may already be done. Products like FortiOS 6.4, FortiWeb 7.0, and FortiWeb 7.2 are unaffected, but others require immediate updates. And this is the part most people miss: even hashed passwords in exported configs are at risk from offline attacks.
To mitigate the threat, organizations should reset firewall credentials and restrict management interfaces to trusted networks. Arctic Wolf's advice is timely, as similar appliances are under attack. As a temporary fix, disabling FortiCloud SSO can help. But the long-term solution is to prioritize upgrades and stay vigilant.
Stay tuned for the latest cybersecurity news and insights. Follow us on Google News, LinkedIn, and X, and contact us to share your stories. Let's stay secure together!
