Fortinet firewalls under active attack, users urged to update now
Threat actors have begun actively exploiting two critical vulnerabilities in a popular firewall device, Fortinet FortiGate, just days after they were publicly disclosed.
-
Critical Fortinet FortiGate vulnerabilities CVE-2025-59718 and CVE-2025-59719 enable authentication bypass without passwords.
-
CISA mandates federal agencies patch Fortinet firewalls by December 23rd, 2025 due to active exploitation.
-
FortiCloud SSO auto-enables during registration, exposing organizations to credential theft through SAML attacks.
On December 12th, cybersecurity firm Arctic Wolf identified an attack targeting FortiGate appliances with malicious single sign-on (SSO) logins.
In observed attacks, attackers used IP addresses tied to a small group of hosting providers, including The Constant Company LLC, BL Networks, and Kaopu Cloud HK Limited, to perform malicious SSO logins targeting the “admin” account.
After gaining access, attackers exported full device configurations through the FortiGate graphical interface, sending the data back to the same IP addresses.
In the attacks, two authentication bypass vulnerabilities are exploited. The vulnerabilities are tracked as CVE-2025-59718 and CVE-2025-59719, both rated with a critical CVSS score of 9.8.
The flaws affect multiple Fortinet products, including recently patched FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.
The US Cybersecurity and Infrastructure Security Agency (CISA) responded by adding CVE-2025-59718 to its Known Exploited Vulnerabilities catalog on December 16th.
Federal Civilian Executive Branch agencies have instructed organizations to apply patches by December 23rd, 2025.
Attackers target credentials
Attackers use specially crafted Security Assertion Markup Language (SAML) messages to bypass single sign-on protections and log in without credentials when FortiCloud SSO is enabled.
While FortiCloud SSO is disabled by default, Arctic Wolf noted that the feature is automatically enabled during FortiCare registration unless administrators explicitly disable the option labeled “Allow administrative login using FortiCloud SSO.”
This means many organizations may be exposed without realizing it.
Even though credentials stored in Fortinet device configurations are typically hashed, Arctic Wolf cautioned that attackers frequently crack hashes offline, particularly when passwords are weak or reused.
“Threat actors are known to crack hashes offline, especially if credentials are weak and susceptible to dictionary attacks,” the company warned.
Threat actors frequently target firewall and VPN management interfaces for mass exploitation, often using specialized search engines to identify exposed or misconfigured devices.
Arctic Wolf noted that it has observed multiple campaigns over the past several years abusing the management interfaces of firewall and VPN platforms.
As a best practice, organizations should restrict access to these interfaces to trusted internal networks only to reduce the attack surface. Users are also urged to update the software and change all passwords.
Unlock more exclusive Cybernews content on YouTube.
