Hackers are exploiting critical-severity vulnerabilities affecting a number of Fortinet merchandise to get unauthorized entry to admin accounts and steal system configuration information.
The 2 vulnerabilities are tracked as CVE-2025-59718 and CVE-2025-59719, and Fortinet warned in an advisory on December 9 concerning the potential for exploitation.
CVE-2025-59718 is a FortiCloud SSO authentication bypass affecting FortiOS, FortiProxy, and FortiSwitchManager. It’s attributable to improper verification of cryptographic signatures in SAML messages, permitting an attacker to log in with out legitimate authentication by submitting a maliciously crafted SAML assertion.
CVE-2025-59719 is a FortiCloud SSO authentication bypass affecting FortiWeb. It arises from an analogous situation with the cryptographic signature validation of SAML messages, enabling unauthenticated administrative entry by way of solid SSO.
Each points are solely exploitable if FortiCloud SSO is enabled, which isn’t the default setting. Nevertheless, until the characteristic is explicitly disabled, it’s activated routinely when registering gadgets by means of the FortiCare consumer interface.
Concentrating on admin accounts
Researchers at cybersecurity firm Arctic Wolf noticed assaults exploiting the 2 security vulnerabilities beginning on December 12. They notice that the intrusions originated from a number of IP addresses linked to The Fixed Firm, BL Networks, and Kaopu Cloud HK.
Based mostly on Arctic Wolf observations, the attackers focused admin accounts with malicious single sign-on logins (SSO), as seen within the log under:
Supply: Arctic Wolf
After acquiring admin-level entry, the hackers accessed the net administration interface and carried out actions equivalent to downloading the system’s configuration information.
Supply: Arctic Wolf
Configuration information can expose community layouts, internet-facing providers, firewall insurance policies, doubtlessly weak interfaces, routing tables, and in addition hashed passwords that could be cracked if weak.
The exfiltration of those information means that the exercise just isn’t from researchers mapping weak endpoints, as exploitation is a part of a malicious operation that will help future assaults.
Blocking the assaults
The 2 flaws impression a number of variations of Fortinet merchandise apart from FortiOS 6.4, FortiWeb 7.0, and FortiWeb 7.2.
To stop assaults, Fortinet recommends that admins nonetheless operating a weak model quickly disable the FortiCloud login characteristic till an improve to a safer model is feasible.
This may be performed from System → Settings → “Permit administrative login utilizing FortiCloud SSO” = Off.
System directors are really useful to maneuver to one of many following variations that deal with each vulnerabilities:
- FortiOS 7.6.4+, 7.4.9+, 7.2.12+, and seven.0.18+
- FortiProxy 7.6.4+, 7.4.11+, 7.2.15+, 7.0.22+
- FortiSwitchManager 7.2.7+, 7.0.6+
- FortiWeb 8.0.1+, 7.6.5+, 7.4.10+
If any indicators of compromise are found, it is suggested to rotate firewall credentials as quickly as potential. Arctic Wolf additionally recommends limiting firewall/VPN administration entry to trusted inside networks solely.
Damaged IAM is not simply an IT drawback – the impression ripples throughout your complete enterprise.
This sensible information covers why conventional IAM practices fail to maintain up with trendy calls for, examples of what “good” IAM seems to be like, and a easy guidelines for constructing a scalable technique.
