Two maximum severity vulnerabilities have been identified in a range of Fortinet products, including the widely deployed FortiGate firewalls. These vulnerabilities, designated as CVE-2025-59718 and CVE-2025-59719, carry a CVSS score of 9.8, indicating their critical impact. The flaws allow for an unauthenticated bypass of SAML Single Sign-On (SSO) authentication, granting attackers unauthorized administrative access to the device.
Security researchers have confirmed that these vulnerabilities are under active attack in the wild as of December 12, 2025. This situation poses a severe risk to organizations relying on Fortinet for network perimeter security.
Root Cause Analysis
The root cause of these vulnerabilities lies in the implementation of the FortiCloud Single Sign-On (SSO) feature. While standard authentication mechanisms remain secure, the handling of SAML (Security Assertion Markup Language) messages within the FortiCloud SSO integration is flawed.
Specifically, the vulnerabilities allow an attacker to forge SAML messages. Because the system fails to properly validate these crafted messages, an unauthenticated remote attacker can bypass the login process entirely.
A critical nuance in this configuration is the “default” state of the feature. While Fortinet states that FortiCloud SSO is disabled by default in the firmware, it is automatically enabled during the device’s FortiCare registration process. Unless an administrator explicitly unchecks the “Allow administrative login using FortiCloud SSO” setting during registration, the device becomes vulnerable to this attack vector.
The Exploitation Process
Exploiting CVE-2025-59718 and CVE-2025-59719 allows an attacker to gain administrative access without valid credentials. The observed attack chain typically follows these steps:
- Reconnaissance: The attacker identifies a public-facing Fortinet device (FortiGate, FortiWeb, etc.) where the management interface is exposed and FortiCloud SSO is enabled.
- SAML Forgery: The threat actor crafts a malicious SAML assertion message designed to trick the authentication mechanism.
- Authentication Bypass: The crafted message is sent to the target device. Due to the vulnerability, the device accepts the message as valid, bypassing the standard login prompt.
- Access & Execution: The attacker gains access to the administrative GUI. Researchers have observed attackers immediately moving to export device configurations.
- Data Exfiltration: The configuration files, which contain hashed passwords, network maps, and policy data, are exfiltrated to attacker-controlled infrastructure.
Affected Products and Versions
The vulnerabilities affect a broad suite of Fortinet’s ecosystem.
The following table details the specific components and versions that require immediate attention:
| Product | Vulnerable Version Range | Fixed Version |
| FortiOS (FortiGate) | 7.6.0 through 7.6.3 | 7.6.4 |
| 7.4.0 through 7.4.8 | 7.4.9 | |
| 7.2.0 through 7.2.11 | 7.2.12 | |
| 7.0.0 through 7.0.17 | 7.0.18 | |
| FortiProxy | 7.6.0 through 7.6.3 | 7.6.4 |
| 7.4.0 through 7.4.10 | 7.4.11 | |
| 7.2.0 through 7.2.14 | 7.2.15 | |
| 7.0.0 through 7.0.21 | 7.0.22 | |
| FortiWeb | 8.0.0 | 8.0.1 |
| 7.6.0 through 7.6.4 | 7.6.5 | |
| 7.4.0 through 7.4.9 | 7.4.10 | |
| FortiSwitchManager | 7.2.0 through 7.2.6 | 7.2.7 |
| 7.0.0 through 7.0.5 | 7.0.6 |
Techniques and Tactics
These vulnerabilities map to several tactics and techniques in the MITRE ATT&CK framework. While the primary vector is Initial Access, the observed behavior involves Collection and Exfiltration.
| Tactic | Technique ID | Technique Name | Description |
| Initial Access | T1190 | Exploit Public-Facing Application | Attackers target the exposed management interface to bypass authentication. |
| Credential Access | T1606 | Forge Web Credentials | The core of the exploit involves forging SAML messages to impersonate valid users/admins. |
| Collection | T1005 | Data from Local System | Attackers are observed exporting the full device configuration via the GUI. |
| Exfiltration | T1048 | Exfiltration Over Web Service | Stolen configurations are sent to external IP addresses controlled by the threat actors. |
Mitigation & Remediation
To address this critical risk, organizations must act immediately. Mere monitoring is insufficient due to the speed at which these exploits are being automated.
Recommended steps for remediation:
- Apply Patches: Update FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager to the fixed versions listed in the table above immediately.
- Disable FortiCloud SSO: As a temporary workaround until patching is possible, administrators should manually disable the FortiCloud SSO feature on all management interfaces.
- Reset Credentials: If you suspect your device was exposed, assume compromise. Attackers extract configuration files containing hashed passwords. These can be cracked offline. Reset all administrative credentials and VPN secrets stored on the device.
- Limit Management Access: Ensure that management interfaces (HTTP/HTTPS/SSH) are not exposed to the open internet. Restrict access to trusted internal IP addresses or via a VPN.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.