The very systems designed to streamline and secure network access have become the epicenter of a significant cybersecurity crisis, as threat actors are now actively exploiting two critical authentication bypass vulnerabilities in widely used Fortinet products. These severe flaws, identified as CVE-2025-59718 and CVE-2025-59719, each carry a CVSS score of 9.8 out of 10, signaling a catastrophic potential for damage. The core of the exploit allows an unauthenticated attacker to completely circumvent single sign-on (SSO) protocols by submitting specially crafted Security Assertion Markup Language (SAML) messages to a vulnerable device. This attack vector is only viable when the FortiCloud SSO feature is enabled, a condition that is more common than many administrators might realize. A concerning point of agreement among security professionals is the inherent risk associated with the feature’s activation process. Although disabled by default in a fresh installation, the FortiCloud SSO feature is automatically enabled the moment a device is registered with FortiCare for support, creating a vast and often unseen attack surface for countless organizations that may not have manually disabled this setting post-registration.
The Anatomy of an Exploit
Unmasking the Attack Vector
At the heart of this security event lies a sophisticated manipulation of the SAML protocol, a standard that enables secure identity federation and single sign-on capabilities. Attackers have discovered a method to construct malicious SAML messages that, when sent to a FortiGate device with FortiCloud SSO active, trick the system into granting administrative access without any valid credentials. This technique effectively breaks the chain of trust that SSO is designed to create, turning a feature intended for convenience and centralized management into a glaring security hole. The successful execution of this attack hinges entirely on the target device having the FortiCloud SSO feature enabled. While this prerequisite may seem like a limiting factor, the automatic enablement of this feature during routine product registration has inadvertently exposed a significant number of devices. This situation highlights a classic cybersecurity dilemma where usability enhancements, if not implemented with stringent security-first principles, can introduce unforeseen and critical risks to the network infrastructure they are meant to protect.
The Hidden Danger in Default Settings
The widespread vulnerability stems from a subtle but impactful detail in Fortinet’s device onboarding process. While the FortiCloud SSO feature is inactive on a factory-default device, it is automatically switched on during the FortiCare registration—a standard step for any organization seeking support and updates. This automatic change in configuration means that many network administrators may be entirely unaware that their devices are configured in a vulnerable state. They might reasonably assume that unless they have intentionally configured SSO, the feature remains off. This discrepancy between expectation and reality is what threat actors are capitalizing on. Security experts universally condemn this “opt-out” approach for a sensitive feature, arguing that it violates the principle of “secure by default.” By placing the onus on administrators to manually disable a feature they may not even know is active, the vendor has inadvertently created a fertile ground for opportunistic attacks, leaving a trail of exposed networks that could have been protected by a more conservative default configuration.
Response and Mitigation Strategies
From Detection to Data Exfiltration
The first signs of active exploitation were observed by cybersecurity firm Arctic Wolf on December 12, 2025, when analysts detected a pattern of malicious SSO logins. These attempts specifically targeted the “admin” account and originated from a consolidated set of IP addresses linked to various hosting providers, indicating a coordinated campaign rather than isolated incidents. Upon successfully gaining unauthorized access, the attackers’ immediate objective is to exfiltrate the device’s complete configuration file. This file is a treasure trove of sensitive information, including network topology, firewall rules, and, most critically, hashed credentials for all local user accounts. The exfiltration of this data creates a severe secondary threat. With the configuration file in hand, attackers can perform offline brute-force or dictionary attacks to crack the password hashes. If any of the accounts, particularly administrative ones, use weak or common passwords, the attackers can quickly recover the plaintext credentials, enabling them to deepen their foothold, move laterally across the network, and potentially access other critical systems.
A Mandate for Urgent Action
The gravity of the threat was formally acknowledged when the U.S. Cybersecurity and Infrastructure Security Agency (CISA) took decisive action. On December 16, 2025, CISA added CVE-2025-59718 to its Known Exploited Vulnerabilities (KEV) catalog, a move that underscores the active and widespread nature of the attacks. This listing came with a strict directive, mandating that all Federal Civilian Executive Branch agencies apply the necessary security updates by December 23, 2025. This rapid timeline highlighted the critical need for immediate remediation across both public and private sectors. In response to these developments, organizations were urged to adopt a multi-layered defense strategy. The primary and most crucial step was the immediate application of security patches released by Fortinet for all affected products, including FortiOS, FortiWeb, and FortiProxy. As an interim mitigation for those unable to patch immediately, administrators were strongly advised to disable the FortiCloud SSO feature and harden their defenses by restricting access to management interfaces to a limited set of trusted internal IP addresses. For any organization that found evidence of compromise, the incident response plan required them to assume a full breach and initiate the process of resetting all hashed credentials contained within the stolen configuration files.