FortiGate Firewalls Under Attack: Critical Auth Bypass Exploited

A critical security flaw in Fortinet’s widely used firewall products is now being actively exploited by attackers, allowing them to bypass authentication and steal sensitive configuration data. Researchers from Arctic Wolf confirmed on Tuesday that threat actors are leveraging vulnerability CVE-2025-59718 to gain unauthorized access to FortiGate firewalls. Once inside, they are systematically exporting system configuration files, which contain a treasure trove of information about network architecture, security policies, and even encrypted credentials that could fuel future, more damaging attacks.

This issue, along with a related flaw designated CVE-2025-59719, was originally discovered and patched by Fortinet earlier this year. Both vulnerabilities stem from a failure to properly verify cryptographic signatures. An attacker can exploit them by sending a manipulated SAML response message to a vulnerable device; this message falsely convinces the system that the user initiating the request is legitimate and should be granted access.

The scope of the threat is broad. CVE-2025-59718 impacts FortiOS, which runs on FortiGate firewalls, as well as FortiProxy secure web gateways and FortiSwitchManager. The second vulnerability, CVE-2025-59719, specifically affects FortiWeb, the company’s web application firewall. Fortinet publicly disclosed these flaws on December 9, 2025, advising customers to immediately upgrade to a fixed software version. As a temporary workaround, the company suggested turning off the FortiCloud login feature until an update can be applied.

It is important to note that the FortiCloud SSO login feature is not active by default. However, it can be inadvertently enabled. This happens if an administrator uses the device’s graphical interface to register the appliance with FortiCare, Fortinet’s support service, but neglects to disable the “Allow administrative login using FortiCloud SSO” option on the registration page.

The need for action is urgent. Arctic Wolf’s threat intelligence team began observing malicious SSO logins targeting FortiGate devices on December 12. These unauthorized access attempts originated from various IP addresses associated with multiple hosting providers. In these incidents, attackers typically targeted the administrator account. Following a successful malicious login, the intruders proceeded to export the device’s configuration files back to their own IP addresses via the graphical interface.

Organizations using vulnerable FortiGate firewalls with the FortiCloud SSO feature enabled must immediately check their system logs for any suspicious login activity. They should also look for known indicators of compromise. If any malicious activity matching the patterns described in security advisories is found, administrators must operate under the assumption that any hashed firewall credentials within the stolen configuration files are now compromised. Those credentials should be reset as quickly as possible.

Beyond credential rotation, security experts strongly advise network administrators to restrict access to the management interfaces of all critical network appliances, including firewalls and VPN gateways. Access should be limited strictly to trusted internal users on necessary networks. The severity of this threat has been formally recognized by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which has added CVE-2025-59718 to its Known Exploited Vulnerabilities catalog. This action mandates all federal civilian agencies to patch the vulnerability by December 23, 2025.

(Source: HelpNet Security)