Fortinet FortiGate devices have two recently disclosed critical vulnerabilities (CVE-2025-59718 and CVE-2025-59719) that enable unauthenticated attackers to bypass SAML-based single sign-on (SSO) authentication. These vulnerabilities specifically affect devices with the FortiCloud SSO feature enabled, which is automatically activated during FortiCare registration unless explicitly disabled by administrators. Exploitation involves sending specially crafted SAML messages that circumvent the authentication process, granting attackers administrative access without valid credentials. Arctic Wolf Labs observed active exploitation starting December 12, 2025, with attackers performing malicious SSO logins targeting the 'admin' account. Post-compromise, attackers export device configurations via the GUI to external IP addresses linked to certain hosting providers. These configurations may contain hashed credentials, which attackers can attempt to crack offline, especially if weak passwords are used. Fortinet has released patches for FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager to address these flaws. However, the default enablement of FortiCloud SSO during registration increases the attack surface. The vulnerabilities have a CVSS score of 9.8, indicating critical severity. The attack requires no authentication or user interaction, making it highly exploitable. The threat compromises device confidentiality and integrity, potentially allowing attackers to control network security appliances, manipulate firewall rules, and exfiltrate sensitive configuration data. This can lead to broader network compromise and persistent access.

For European organizations, the impact is severe. Fortinet FortiGate devices are widely deployed across enterprises, government agencies, and critical infrastructure sectors in Europe for firewalling, VPN, and network security management. Successful exploitation can lead to unauthorized administrative access, enabling attackers to alter firewall policies, intercept or redirect network traffic, and exfiltrate sensitive configuration data including hashed credentials. This undermines network perimeter defenses and can facilitate lateral movement, data breaches, and disruption of services. Given the critical role of FortiGate appliances in securing corporate and governmental networks, exploitation could compromise confidentiality, integrity, and availability of network resources. The threat is especially concerning for sectors with stringent regulatory requirements such as finance, healthcare, and public administration. Additionally, the ease of exploitation and active attacks increase the likelihood of widespread compromise if mitigations are not promptly applied.

1. Immediately apply the official patches released by Fortinet for FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager to remediate the vulnerabilities. 2. Disable the FortiCloud SSO feature on all FortiGate devices until patches are confirmed applied, as this feature is the attack vector. 3. Restrict access to management interfaces (firewalls, VPNs) to trusted internal IP addresses only, using network segmentation and access control lists. 4. Monitor firewall logs for unusual SSO login attempts, especially from IP addresses associated with known hosting providers used in attacks. 5. Conduct thorough audits of device configurations for signs of unauthorized export or modification. 6. Reset all firewall credentials and hashes if compromise is suspected, using strong, complex passwords resistant to dictionary attacks. 7. Implement multi-factor authentication (MFA) for administrative access where possible, even if SSO is used. 8. Educate administrators on the risks of default FortiCloud SSO enablement and enforce explicit configuration reviews during device registration. 9. Employ network intrusion detection systems (NIDS) tuned to detect anomalous SAML traffic patterns. 10. Maintain an incident response plan to quickly isolate and remediate affected devices upon detection of compromise.