The US Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog to include a critical vulnerability affecting multiple Fortinet network security and management platforms. This action follows evidence that the flaw is currently being utilized in the wild to bypass authentication controls.
The vulnerability, tracked as CVE-2025-59718 (CVSS Score: 9.1), is one of two critical authentication bypass issues disclosed by Fortinet on December 9. The second, tracked as CVE-2025-59719 (CVSS Score: 9.1), affects similar product lines, including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.
Technical Analysis
Both vulnerabilities stem from the improper verification of cryptographic signatures within the Single Sign-On (SSO) mechanism. When the FortiCloud SSO feature is enabled, this validation gap allows an unauthenticated party to bypass login protocols using specially crafted SAML messages. Successful manipulation of this flaw permits a threat actor to assume administrative control over the affected device without valid credentials.
Network perimeter devices are critical control points for traffic flow and organizational security. As noted in CISA’s notification, these vulnerabilities pose significant risks to federal enterprises. Consequently, federal civilian executive branch agencies are mandated to patch the flaw by December 23 or discontinue the use of affected products until remediation is complete.
Observed Activity
Security researchers at Arctic Wolf report that unauthorized activity targeting these vulnerabilities began as early as December 12, shortly after disclosure. Their telemetry identified intrusions involving malicious SSO logins on FortiGate devices. These requests originated from a limited number of hosting providers, with IP addresses geolocated in Germany, the United States, and Asia.
The unauthorized activity primarily focused on administrative accounts. Following the authentication bypass, threat actors were observed exporting device configurations—which often include hashed credentials and sensitive network topology data—back to the originating IP addresses.
Configuration Risks
A specific design behavior in the affected products may increase exposure for some organizations. Fortinet notes that while FortiCloud SSO is disabled by default in factory settings, the feature automatically activates when administrators register devices through the graphical user interface (GUI) using FortiCare.
Unless the administrator explicitly disables the "Allow administrative login using FortiCloud SSO" toggle during registration, the vulnerable login pathway becomes active. This configuration nuance suggests that more devices may be exposed than initially assumed. Arctic Wolf researchers noted that management interfaces on firewalls and VPNs are frequent targets for mass scanning and identification by unauthorized parties.
Remediation and Mitigation
Fortinet has released patches across the affected product lines. Security teams should prioritize upgrading to the following versions or higher:
- FortiOS: 7.6.4, 7.4.9, 7.2.12, 7.0.18
- FortiProxy: 7.6.4, 7.4.11, 7.2.15, 7.0.22
- FortiSwitchManager: 7.2.7, 7.0.6
- FortiWeb: 8.0.1, 7.6.5, 7.4.10
Notably, FortiOS 6.4 and FortiWeb versions 7.0 and 7.2 are not affected by these vulnerabilities.
Immediate Workarounds
For organizations unable to apply patches immediately, Fortinet recommends a temporary workaround: disable the FortiCloud login feature. This can be done via the system settings menu or the command-line interface.
Piyush Sharma, CEO and co-founder of Tuskira, emphasizes that while patching is critical, immediate protection of the management plane is paramount. "The immediate risk isn't patching speed, it's the exposure of Internet-facing management interfaces," Sharma explained. He advises that teams can implement immediate defenses by disabling HTTP/HTTPS administrative access or restricting it solely to trusted IP addresses while patches are tested and deployed.
Post-Incident Validation
Long-term defense requires continuous monitoring for indicators of compromise (IoCs), such as unauthorized administrative accounts or unexpected SSL VPN sessions.
If suspicious activity matching the described patterns is observed, Arctic Wolf advises organizations to operate under the assumption that credentials have been compromised. Recommended actions include an immediate reset of firewall credentials and an expedited upgrade to patched versions. Because threat actors may attempt to crack hashed credentials offline, simply patching without resetting credentials may not be sufficient to secure the environment.
Maintaining strict control over management interfaces and ensuring timely updates remains the most effective strategy for protecting the network perimeter against these types of bypass techniques.