Fortinet FortiGate Under Active Attack Through SAML SSO Authentication Bypass

Fortinet FortiGate Under Active Attack Through SAML SSO Authentication Bypass

Threat actors are actively exploiting two critical vulnerabilities (CVE-2025-59718 and CVE-2025-59719) in Fortinet FortiGate devices just days after their disclosure on December 12, 2025, with Arctic Wolf observing malicious SSO logins. These flaws allow unauthenticated bypass of SSO login authentication via crafted SAML messages.

Why This Matters

Current network security relies on strong authentication, but complex systems like SAML introduce vulnerabilities if improperly configured or patched. Ideal models assume timely updates; in practice, patching lags, leaving a window for exploitation. This particular campaign targets FortiGate, impacting potentially thousands of organizations, and data exfiltration through configuration exports represents a significant risk, with potential costs reaching millions in incident response and remediation.

Key Insights

• Active Exploitation: Observed malicious SSO logins starting December 12, 2025 (Arctic Wolf).
• SAML Complexity: SAML vulnerabilities often stem from improper message validation and trust relationships.
• CISA Action: CVE-2025-59718 added to CISA’s KEV catalog; FCEB agencies must patch by December 23, 2025.

Practical Applications

• Use Case: Organizations using FortiCloud SSO with FortiGate devices are at immediate risk of unauthorized access and potential data exfiltration.
• Pitfall: Relying on default configurations (like automatic FortiCloud SSO enablement during FortiCare registration) without explicit security review amplifies risk.

References:

• https://thehackernews.com/2025/12/fortinet-fortigate-under-active-attack.html