Hackers Target Unpatched Fortinet Flaws After Fix
▼ Summary
– Hackers are exploiting two critical Fortinet vulnerabilities (CVE-2025-59718 and CVE-2025-59719) to bypass authentication and gain unauthorized admin access.
– These flaws are SAML signature validation bypasses affecting FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb, but only when the non-default FortiCloud SSO feature is enabled.
– Attackers observed since December 12 have used this access to steal system configuration files, which can expose network details and hashed passwords for future attacks.
– Fortinet advises administrators of vulnerable versions to immediately disable the FortiCloud SSO login feature and upgrade to specific patched versions.
– If compromise is suspected, it is critical to rotate all firewall credentials and restrict management access to trusted internal networks.
Cybersecurity threats are escalating as malicious actors actively exploit two critical vulnerabilities in Fortinet products, gaining unauthorized administrative access and stealing sensitive system configuration data. These flaws, identified as CVE-2025-59718 and CVE-2025-59719, were disclosed by Fortinet on December 9th, with observed attacks commencing just days later. The vulnerabilities are authentication bypass issues within the FortiCloud Single Sign-On (SSO) feature, allowing attackers to log in without proper credentials by submitting forged SAML assertions. It is crucial to note that exploitation is only possible if the FortiCloud SSO feature is enabled. While not the default setting, this feature can be activated automatically during device registration via the FortiCare interface unless administrators explicitly disable it.
Security researchers from Arctic Wolf have been tracking these intrusions, which originated from IP addresses associated with several hosting providers. The attackers specifically target administrative accounts using malicious SSO logins. Once they gain elevated access, they proceed to the web management interface to perform actions like downloading the system’s configuration files. These configuration files are a significant risk, as they can reveal detailed network architecture, firewall policies, routing information, and even hashed passwords that could be cracked if not sufficiently strong. The theft of these files indicates a clear malicious intent beyond mere reconnaissance, potentially laying the groundwork for more extensive future attacks.
The impacted products include multiple versions of FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb. Notably, FortiOS 6.4, FortiWeb 7.0, and FortiWeb 7.2 are not affected. To defend against these ongoing exploits, Fortinet strongly advises administrators to immediately disable the FortiCloud SSO login feature if they are running a vulnerable version and cannot patch immediately. This setting can be found under System → Settings, where “Allow administrative login using FortiCloud SSO” should be turned off.
The permanent solution is to upgrade to a patched version. The following releases address both critical vulnerabilities:
- FortiOS 7.6.4 and above, 7.4.9+, 7.2.12+, and 7.0.18+
- FortiProxy 7.6.4 and above, 7.4.11+, 7.2.15+, and 7.0.22+
- FortiSwitchManager 7.2.7+ and 7.0.6+
- FortiWeb 8.0.1+, 7.6.5+, and 7.4.10+
If any indication of a breach is detected, organizations must rotate all firewall credentials without delay. As an additional security measure, experts recommend restricting management access for firewalls and VPNs exclusively to trusted internal networks, minimizing the attack surface available to external threats.
(Source: Bleeping Computer)
