Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.

Cybersecurity is about sharing. Recognize the risk,
combat it, share your experiences, and encourage others
to do better than you.

Shocking Discovery on Instagram: Private Posts Accessible Without Login!-Email Security Under Pressure: Phishing Kits to Double in 2025-When Malware Hides in Videos! The PixelCode Technique Breaks the Rules-How a simple Visual Studio Code file can become a backdoor for state-run hackers-Khaby Lame is selling the rights to his digital identity for $900 million. But there’s reason to think.-Shocking Discovery on Instagram: Private Posts Accessible Without Login!-Email Security Under Pressure: Phishing Kits to Double in 2025-When Malware Hides in Videos! The PixelCode Technique Breaks the Rules-How a simple Visual Studio Code file can become a backdoor for state-run hackers-Khaby Lame is selling the rights to his digital identity for $900 million. But there’s reason to think.

Cyber Offensive Fundamentals 320x200 V0.1

FortiGate Vulnerability Exploited: Update Now to Prevent SSO Attacks

Author Agostino Pellegrino

16 December 2025 06:51

Threat actors began actively exploiting the high-severity vulnerabilities shortly after the vendor disclosed them to bypass authentication on FortiGate devices.

A recent report from Arctic Wolf reveals that, as of December 12, 2025, these vulnerabilities are being exploited by attackers to gain administrator access through Single Sign-On (SSO) and steal sensitive system configurations.

The vulnerabilities CVE-2025-59718 and CVE-2025-59719, with a critical CVSS score of 9.1, are targeted by attacks. Without a key, an unauthenticated attacker can gain entry through the front door by exploiting these vulnerabilities, which allow them to bypass SSO protections using spoofed SAML messages.

Arctic Wolf researchers noted: “However, when administrators enroll devices using FortiCare via the GUI, FortiCloud SSO is enabled upon enrollment unless the ‘Allow administrative access via FortiCloud SSO’ setting is disabled on the enrollment page.”

The intrusion attempts observed by Arctic Wolf follow a specific pattern. The attackers originate from specific hosting providers, including The Constant Company LLC, Bl Networks, and Kaopu Cloud Hk Limited , and directly target the administrator account.

IOC	Hosting Provider
45.32.153[.]218	The Constant Company LLC
167.179.76[.]111	The Constant Company LLC
199.247.7[.]82	The Constant Company LLC
45.61.136[.]7	Bl Networks
38.54.88[.]203	Kaopu Cloud Hk Limited
38.54.95[.]226	Kaopu Cloud Hk Limited
38.60.212[.]97	Kaopu Cloud Hk Limited

Once inside, the attackers immediately turned to data theft. “Following malicious SSO logins, configurations were exported to the same IP addresses via the graphical user interface.” This exfiltration is catastrophic because firewall configurations often contain hashed credentials for VPN users and other local accounts.

Administrators are advised to immediately update to the latest patched versions (for example, FortiOS 7.6.4, 7.4.9, 7.2.12, or 7.0.18). For those unable to apply the patch immediately, there is a crucial workaround. You can disable the vulnerable functionality via the command line interface (CLI):

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Agostino Pellegrino

He is a freelancer, teacher and expert in Computer Forensics, Cyber Security and Ethical Hacking and Network Management. He has collaborated with leading educational institutions internationally and has practiced teaching and mentorship in advanced Offensive Security techniques for NATO obtaining major awards from the U.S. Government. His motto is "Study. Always."

Areas of Expertise: Incident Response, Malware Analysis, Penetration Testing, Red Teaming