Exploitation of Critical Authentication Bypasses in Fortinet FortiGate Devices
Recent cybersecurity developments have highlighted the exploitation of two critical vulnerabilities in Fortinet FortiGate devices, identified as CVE-2025-59718 and CVE-2025-59719. These vulnerabilities, with a CVSS score of 9.8, allow unauthenticated bypass of single sign-on (SSO) login authentication through crafted SAML messages. The flaws were disclosed publicly less than a week ago, and patches have been released by Fortinet for affected products including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.
Arctic Wolf has reported active intrusions leveraging these vulnerabilities, specifically targeting the "admin" account on FortiGate appliances. The attacks involve malicious SSO logins using IP addresses from specific hosting providers. Following successful logins, attackers have been observed exporting device configurations to these IP addresses. Although the campaign is in its early stages and appears opportunistic, it underscores the urgency for organizations to apply the available patches.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-59718 to its Known Exploited Vulnerabilities catalog, mandating Federal Civilian Executive Branch agencies to implement the fixes by December 23, 2025. Organizations are advised to disable FortiCloud SSO until updates are applied and restrict access to management interfaces to trusted users.
Threats and Vulnerabilities
The primary threat involves two critical authentication bypass vulnerabilities in Fortinet FortiGate devices, CVE-2025-59718 and CVE-2025-59719. These vulnerabilities enable attackers to bypass SSO login authentication via crafted SAML messages if the FortiCloud SSO feature is enabled. The potential impact includes unauthorized access to network devices, leading to configuration data exfiltration and possible further network compromise.
Exploitation of these vulnerabilities has been observed in the wild, with attackers using IP addresses from specific hosting providers to perform malicious logins. The threat is particularly concerning for organizations that have not yet applied the patches or disabled the vulnerable SSO feature. Industries relying heavily on Fortinet products for network security are at heightened risk.
Client Impact
Clients using Fortinet FortiGate devices may face significant operational disruptions if these vulnerabilities are exploited. Unauthorized access could lead to data breaches, loss of sensitive configuration data, and potential financial losses due to downtime or remediation efforts. Additionally, organizations may suffer reputational damage if customer or partner data is compromised.
From a compliance perspective, failure to address these vulnerabilities could result in regulatory challenges, especially for industries subject to stringent cybersecurity standards. Non-compliance with CISA's directive for federal agencies could lead to audits or penalties.
Mitigations
To mitigate the risks associated with these vulnerabilities, clients should take the following actions:
- Apply the patches released by Fortinet for affected products immediately.
- Disable the FortiCloud SSO feature until devices are updated to the latest version.
- Restrict access to management interfaces of firewalls and VPNs to trusted internal users only.
- Monitor network traffic for indicators of compromise (IoCs) related to this campaign.
- Reset hashed firewall credentials stored in exfiltrated configurations if compromise is suspected.
- Strengthen password policies to prevent offline cracking of hashed credentials.
Implementing these measures will help reduce the risk of unauthorized access and data exfiltration. Clients should remain vigilant and continue monitoring for any signs of compromise while ensuring their systems are up-to-date with the latest security patches.
1898 & Co. Response
1898 & Co. is actively addressing the current threat landscape by offering specialized services to help clients secure their Fortinet devices against these vulnerabilities. Our team is focused on providing tailored solutions that include vulnerability assessments, patch management assistance, and configuration reviews to ensure robust security postures.
We are collaborating with industry partners and government agencies to gather threat intelligence and share insights on emerging threats. Our ongoing research efforts aim to identify new attack vectors and develop effective countermeasures to protect our clients' networks.
In addition, we offer incident response services to assist clients in quickly identifying and mitigating any potential breaches resulting from these vulnerabilities. Our case studies demonstrate successful mitigations that have helped organizations prevent unauthorized access and secure their critical infrastructure.