Fortinet's Critical SSO Bypass Vulnerability

Fortinet has recently confirmed active exploitation of a critical authentication bypass vulnerability in its FortiCloud Single Sign-On (SSO) service. Despite an earlier patch, attackers are successfully compromising FortiGate firewalls, prompting urgent action from affected organizations globally.

Understanding the Vulnerability

The vulnerability, tracked as CVE-2025-59718 and CVE-2025-59719, affects the SAML-based SSO authentication in FortiGate firewalls when integrated with FortiCloud. This flaw allows unauthenticated attackers to bypass the login process by crafting malicious SAML messages. This means that an attacker, without needing valid credentials, can gain administrative access to the firewall.

Arctic Wolf Observes Malicious Configuration Changes On Fortinet FortiGate Devices via SSO Accounts | Arctic Wolf

Arctic Wolf has observed a new cluster of automated malicious activity involving unauthorized firewall configuration changes on FortiGate devices.

Arctic WolfArctic Wolf Labs

Initially, Fortinet released a security patch in December 2025 to address these issues. However, the company has since acknowledged that this patch was incomplete, and threat actors quickly adapted their methods to continue exploiting the vulnerability. Recent reports, including those from BleepingComputer, indicate that these attacks are often automated, with malicious actors creating rogue user accounts and exfiltrating firewall configurations within moments of gaining access.

Fortinet's Chief Information Security Officer (CISO), Carl Windsor, has further clarified that the underlying issue extends beyond just FortiCloud SSO, impacting all SAML SSO implementations. This broader context emphasizes that the threat is not isolated to a single service but points to potential vulnerabilities in how SAML-based authentication is handled more generally.

Impact on Organizations

The implications of this vulnerability are severe for any organization utilizing affected FortiGate firewalls. A successful bypass grants the attacker full administrative control over the firewall, which can lead to:

• Complete Network Compromise: The firewall serves as a primary security perimeter. Its compromise can provide attackers an entry point to the internal network, enabling lateral movement, data exfiltration, and disruption of services.
• Data Exfiltration: Attackers have been observed downloading firewall configurations, which can contain sensitive network topology information, credentials, and security policies that can be leveraged for further attacks.
• Persistent Access: The creation of unauthorized administrative accounts allows threat actors to maintain a foothold within the network, even if initial access methods are discovered and blocked.

The seriousness of CVE-2025-59718 is underscored by its inclusion in the US Cybersecurity and Infrastructure Security Agency (CISA)'s Known Exploited Vulnerabilities catalog, signaling that this is a threat actively being used by adversaries.

Key Mitigation Steps for Protection

Given the active exploitation, immediate action is crucial for organizations using FortiGate firewalls with FortiCloud SSO enabled. Fortinet has provided the following key mitigation steps:

1. Restrict Administrative Access: Implement a local-in policy on your FortiGate firewall to limit administrative access from untrusted networks, particularly the public internet. This ensures that even if an attacker attempts to exploit the SSO bypass, they cannot reach the administrative interface from external sources.
2. Disable FortiCloud SSO for Administrative Logins: If your organization does not require administrative logins via FortiCloud SSO, it is strongly recommended to disable this feature. Navigate to System -> Settings -> Switch within your FortiGate interface and toggle off the option "Allow administrative login using FortiCloud SSO." This directly removes the attack vector for this specific vulnerability.
3. Incident Response Planning: For any organization that suspects compromise, or for those wishing to be proactive, a comprehensive incident response is essential. This includes:
   • Treating the system as fully compromised.
   • Rotating all administrative credentials across all affected and related systems.
   • Restoring configurations from a known clean and verified backup.
   • Thoroughly reviewing logs for any anomalous activity or unauthorized account creation.

PSIRT Advisories | FortiGuard Labs

FortiGuard Labs

Organizations are advised to closely monitor Fortinet's official PSIRT advisories for further updates and patches related to this evolving threat. Staying informed and taking swift action are paramount to maintaining network security in the face of such critical vulnerabilities.