Fortinet's FortiGate Under Attack: A Critical SSO Flaw with Global Impact
A major security breach is unfolding, as threat actors actively exploit critical vulnerabilities in Fortinet's FortiGate devices, potentially impacting thousands of organizations worldwide. This attack bypasses authentication, granting attackers administrative access to sensitive systems.
The vulnerabilities, CVE-2025-59718 and CVE-2025-59719, allow attackers to perform single sign-on (SSO) logins without authentication, using malicious SAML messages. This grants them the keys to the kingdom, as administrative access is the ultimate goal for many cybercriminals.
But here's where it gets controversial: Fortinet's FortiCloud SSO, which is the target of these attacks, is disabled by default. However, a common oversight during device registration can automatically enable it, leaving devices exposed. This simple mistake has led to a global security crisis.
The attack has been traced back to a limited set of IP addresses, with The Constant Company LLC and Kaopu Cloud HK Limited being notable providers. Attackers are primarily targeting the default 'admin' account, a common weak point in many systems.
A sample log reveals the attack in action:
date=2025-12-12 time=REDACTED ... logid="0100032001" ... user="admin" ui="sso(199.247.7[.]82)" method="sso" srcip=199.247.7[.]82 ... action="login" status="success" ...
Post-login, attackers downloaded device configurations, as shown below:
date=2025-12-12 time=REDACTED ... logid="0100032095" ... action="download" ... msg="System config file has been downloaded by user admin via GUI(199.247.7[.]82)"
Arctic Wolf's MDR platform is on the case, identifying these patterns and alerting affected customers. Fortinet has released patches, but the damage may already be done for many.
Affected Products and Versions:
- FortiOS: 7.6.0 - 7.6.3, 7.4.0 - 7.4.8, 7.2.0 - 7.2.11, 7.0.0 - 7.0.17
- FortiProxy: 7.6.0 - 7.6.3, 7.4.0 - 7.4.10, 7.2.0 - 7.2.14, 7.0.0 - 7.0.21
- FortiSwitchManager: 7.2.0 - 7.2.6, 7.0.0 - 7.0.5
- FortiWeb: 8.0.0, 7.6.0 - 7.6.4, 7.4.0 - 7.4.9
Temporary Fix:
As a stopgap measure, organizations can disable FortiCloud SSO in the System Settings or via CLI. However, this is not a long-term solution.
And this is the part most people miss: The root cause of this issue highlights the importance of meticulous configuration during device setup. A simple oversight can lead to catastrophic consequences.
As attacks on firewalls rise, organizations should prioritize upgrading to the latest secure versions. Arctic Wolf advises vigilance and encourages affected organizations to take immediate action.
Stay tuned for more cybersecurity updates and insights. Share your thoughts: Do you think the industry is doing enough to prevent such critical vulnerabilities? What steps should organizations take to ensure secure device configurations?
