FortiGate Vulnerability Exploited: Update Now to Prevent SSO Attacks
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Search
Banner Ransomfeed 320x100 1
Fortinet 970x120px
FortiGate Vulnerability Exploited: Update Now to Prevent SSO Attacks

FortiGate Vulnerability Exploited: Update Now to Prevent SSO Attacks

Redazione RHC : 16 December 2025 06:51

Threat actors began actively exploiting the high-severity vulnerabilities shortly after the vendor disclosed them to bypass authentication on FortiGate devices.

A recent report from Arctic Wolf reveals that, as of December 12, 2025, these vulnerabilities are being exploited by attackers to gain administrator access through Single Sign-On (SSO) and steal sensitive system configurations.

The vulnerabilities CVE-2025-59718 and CVE-2025-59719, with a critical CVSS score of 9.1, are targeted by attacks. Without a key, an unauthenticated attacker can gain entry through the front door by exploiting these vulnerabilities, which allow them to bypass SSO protections using spoofed SAML messages.

Arctic Wolf researchers noted: “However, when administrators enroll devices using FortiCare via the GUI, FortiCloud SSO is enabled upon enrollment unless the ‘Allow administrative access via FortiCloud SSO’ setting is disabled on the enrollment page.”

The intrusion attempts observed by Arctic Wolf follow a specific pattern. The attackers originate from specific hosting providers, including The Constant Company LLC, Bl Networks, and Kaopu Cloud Hk Limited , and directly target the administrator account.

IOC Hosting Provider
45.32.153[.]218 The Constant Company LLC
167.179.76[.]111 The Constant Company LLC
199.247.7[.]82 The Constant Company LLC
45.61.136[.]7 Bl Networks
38.54.88[.]203 Kaopu Cloud Hk Limited
38.54.95[.]226 Kaopu Cloud Hk Limited
38.60.212[.]97 Kaopu Cloud Hk Limited

Once inside, the attackers immediately turned to data theft. “Following malicious SSO logins, configurations were exported to the same IP addresses via the graphical user interface.” This exfiltration is catastrophic because firewall configurations often contain hashed credentials for VPN users and other local accounts.

Administrators are advised to immediately update to the latest patched versions (for example, FortiOS 7.6.4, 7.4.9, 7.2.12, or 7.0.18). For those unable to apply the patch immediately, there is a crucial workaround. You can disable the vulnerable functionality via the command line interface (CLI):

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

  • #cybersecurity
  • Arctic Wolf
  • CVE-2025-59718
  • CVE-2025-59719
  • FortiGate
  • FortiOS
  • network security
  • patch management
  • SSO attacks
  • update now
  • Vulnerability
Immagine del sitoRedazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli