Actively Exploited Authentication Bypass Vulnerabilities in FortiGate SSO

Fortinet has stated in their latest advisory[1] that FortiCloud SSO login is disabled by default in factory settings. However according to ArcticWolf[2], when administrators register devices using FortiCare through the GUI, FortiCloud SSO is enabled upon registration unless the “Allow administrative login using FortiCloud SSO” setting is disabled on the registration page.

CVE

CVE-2025-59718
CVE-2025-59719

Affected Products

FortiOS 7.6
FortiOS 7.4
FortiOS 7.2
FortiOS 7.0
FortiProxy 7.6
FortiProxy 7.4
FortiProxy 7.2
FortiProxy 7.0
FortiSwitchManager 7.2
FortiSwitchManager 7.0
FortiWeb 8.0
FortiWeb 7.6
FortiWeb 7.4

Exploitation

According to ArcticWolf, these vulnerabilities has been exploited in the wild[2].

Recommended Actions

If you have seen any malicious logins similar to the example log under “Detection”, Truesec recommends resetting firewall credentials and that you initiate an investigation to understand the full extent of the compromise. Furthermore, it is highly recommended that access to management interfaces on FortiNet devices are limited to trusted IP addresses.
Lastly, Truesec recommends upgrading to the latest fixed version, see table below.

List of affected products, vulnerable versions and fixed versions:
FortiOS 7.6 – 7.6.0 through 7.6.3 – Upgrade to 7.6.4 or above
FortiOS 7.4 – 7.4.0 through 7.4.8 – Upgrade to 7.4.9 or above
FortiOS 7.2 – 7.2.0 through 7.2.11 – Upgrade to 7.2.12 or above
FortiOS 7.0 – 7.0.0 through 7.0.17 – Upgrade to 7.0.18 or above
FortiOS 6.4 – Not affected – Not Applicable
FortiProxy 7.6 – 7.6.0 through 7.6.3 – Upgrade to 7.6.4 or above
FortiProxy 7.4 – 7.4.0 through 7.4.10 – Upgrade to 7.4.11 or above
FortiProxy 7.2 – 7.2.0 through 7.2.14 – Upgrade to 7.2.15 or above
FortiProxy 7.0 – 7.0.0 through 7.0.21 – Upgrade to 7.0.22 or above
FortiSwitchManager 7.2 – 7.2.0 through 7.2.6 – Upgrade to 7.2.7 or above
FortiSwitchManager 7.0 – 7.0.0 through 7.0.5 – Upgrade to 7.0.6 or above
FortiWeb 8.0 – 8.0.0 – Upgrade to 8.0.1 or above
FortiWeb 7.6 – 7.6.0 through 7.6.4 – Upgrade to 7.6.5 or above
FortiWeb 7.4 – 7.4.0 through 7.4.9 – Upgrade to 7.4.10 or above
FortiWeb 7.2 – Not affected – Not Applicable
FortiWeb 7.0 – Not affected – Not Applicable

Detection

Malicious logins were typically against the admin account, as shown in the example log line below[2]:

date=2025-12-12 time=REDACTED devname=REDACTED devid=REDACTED eventtime=REDACTED tz=REDACTED logid=”0100032001″ type=”event” subtype=”system” level=”information” vd=”root” logdesc=”Admin login successful” sn=REDACTED user=”admin” ui=”sso(199.247.7[.]82)” method=”sso” srcip=199.247.7[.]82 dstip=REDACTED action=”login” status=”success” reason=”none” profile=”super_admin” msg=”Administrator admin logged in successfully from sso(199.247.7[.]82)”

Following malicious SSO logins, configurations were exported to the same IP addresses via the GUI interface[2]:
date=2025-12-12 time=REDACTED devname=REDACTED devid=REDACTED eventtime=REDACTED tz=REDACTED logid=”0100032095″ type=”event” subtype=”system” level=”warning” vd=”root” logdesc=”Admin performed an action from GUI” user=”admin” ui=”GUI(199.247.7[.]82)” action=”download” status=”success” msg=”System config file has been downloaded by user admin via GUI(199.247.7[.]82)”

References

[1] https://fortiguard.fortinet.com/psirt/FG-IR-25-647
[2] https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-sso-logins-following-disclosure-cve-2025-59718-cve-2025-59719/