Fortinet FortiCloud SSO Vulnerabilities Actively Exploited to Hijack Admin Accounts and Steal Network Configurations

Listen to this Post

Featured Image

Introduction: A Silent Door Opens in Enterprise Firewalls

Fortinet products sit at the heart of thousands of enterprise networks, trusted to enforce boundaries, protect traffic, and manage access. That trust is now under pressure. Newly disclosed critical vulnerabilities in Fortinet’s FortiCloud Single Sign-On (SSO) implementation are being actively exploited in the wild, allowing attackers to bypass authentication, seize administrator privileges, and quietly extract highly sensitive configuration data. What makes this incident particularly alarming is not only the severity of the flaws, but how seamlessly they blend into normal administrative workflows, leaving many organizations exposed without realizing it.

Overview of the Security Incident

Hackers are exploiting two critical-severity vulnerabilities affecting several Fortinet products to gain unauthorized administrative access and steal system configuration files. These attacks are no longer theoretical; they are happening now and have been observed across multiple real-world environments.

Vulnerability Identification and Disclosure Timeline

The vulnerabilities are tracked as CVE-2025-59718 and CVE-2025-59719. Fortinet publicly warned customers about the risks on December 9, highlighting the possibility of active exploitation if systems remained unpatched or misconfigured.

CVE-2025-59718: FortiCloud SSO Authentication Bypass

This vulnerability affects FortiOS, FortiProxy, and FortiSwitchManager. It stems from improper verification of cryptographic signatures within SAML authentication messages. By submitting a maliciously crafted SAML assertion, an attacker can authenticate without valid credentials, effectively bypassing identity verification entirely.

CVE-2025-59719: FortiWeb Administrative Access Flaw

The second flaw impacts FortiWeb and arises from a nearly identical weakness in SAML signature validation. This allows attackers to forge FortiCloud SSO logins and gain unauthenticated administrative access to FortiWeb instances.

Conditional Exploitability Masks the Risk

Both vulnerabilities require FortiCloud SSO to be enabled. While this feature is not enabled by default, it is automatically activated when administrators register devices through the FortiCare user interface—often without a second thought. As a result, many environments unknowingly meet the exploitation conditions.

Active Exploitation Confirmed in the Wild

Cybersecurity researchers at Arctic Wolf observed active exploitation beginning on December 12. The attacks originated from IP addresses associated with hosting providers such as The Constant Company, BL Networks, and Kaopu Cloud HK, suggesting organized infrastructure rather than opportunistic scanning.

Targeting High-Privilege Accounts

Attackers focused specifically on administrative accounts, using malicious SSO logins to impersonate legitimate administrators. Logs reviewed by Arctic Wolf show successful authentication events that bypassed standard credential checks entirely.

Post-Compromise Activity: Configuration Theft

Once inside, attackers accessed the web-based management interface and downloaded full system configuration files. This step marks a shift from simple proof-of-concept exploitation to deliberate intelligence gathering.

Why Configuration Files Are a Goldmine

Firewall and appliance configuration files reveal detailed network layouts, internet-facing services, firewall rules, routing tables, VPN settings, and sometimes hashed administrator passwords. Weak hashes can often be cracked, enabling further lateral movement.

Evidence of Strategic Malicious Intent

The deliberate exfiltration of configuration files strongly suggests these attacks are not conducted by security researchers or casual scanners. Instead, they appear to support future targeted intrusions, espionage, or large-scale network compromises.

Affected Products and Versions

Most versions of Fortinet products are impacted, with the notable exceptions of FortiOS 6.4, FortiWeb 7.0, and FortiWeb 7.2, which are not vulnerable to these specific flaws.

Immediate Mitigation Guidance

Fortinet advises administrators running vulnerable versions to temporarily disable FortiCloud SSO until upgrades can be completed. This significantly reduces exposure by removing the attack vector entirely.

How to Disable FortiCloud SSO

Administrators can disable the feature via:

System → Settings → “Allow administrative login using FortiCloud SSO” = Off

Patched Versions Recommended by Fortinet

To fully address the vulnerabilities, organizations should upgrade to secure versions, including:

FortiOS: 7.6.4+, 7.4.9+, 7.2.12+, 7.0.18+

FortiProxy: 7.6.4+, 7.4.11+, 7.2.15+, 7.0.22+

FortiSwitchManager: 7.2.7+, 7.0.6+

FortiWeb: 8.0.1+, 7.6.5+, 7.4.10+

Post-Incident Response Recommendations

If any signs of compromise are detected, Fortinet and Arctic Wolf recommend rotating all firewall credentials immediately and restricting management access to trusted internal networks only.

What Undercode Say:

A Familiar Pattern in Enterprise Security Failures

This incident reflects a recurring theme in enterprise cybersecurity: identity systems are increasingly the weakest link. While Fortinet appliances are designed as security enforcers, they still rely on complex authentication mechanisms that, when flawed, undermine the entire trust model.

SAML as a High-Value Attack Surface

SAML-based SSO is powerful but notoriously fragile. A single mistake in signature validation effectively nullifies authentication. These vulnerabilities demonstrate how cryptographic missteps can silently convert convenience features into attack highways.

The Danger of “Optional” Features

FortiCloud SSO being “non-default” offers little comfort when it becomes enabled automatically during device registration. This highlights a dangerous design philosophy where convenience outweighs secure-by-default principles.

Configuration Theft Signals Long-Term Strategy

Attackers extracting configuration files are not looking for quick wins. They are mapping networks, identifying choke points, and planning follow-up attacks. This is reconnaissance for deeper, more damaging operations.

Supply Chain Trust Under Pressure

Organizations trust vendors like Fortinet to secure critical infrastructure. When authentication bypasses appear in core products, that trust erodes—especially when exploitation follows disclosure within days.

Hosting Providers as Attack Launchpads

The use of mainstream hosting providers suggests attackers value scalability and anonymity. This also complicates blocking efforts, as IP-based defenses risk disrupting legitimate traffic.

Admin Interfaces Remain Prime Targets

Despite years of warnings, administrative interfaces remain exposed, internet-accessible, and insufficiently segmented. This incident reinforces the need to isolate management planes aggressively.

Logging Alone Is Not Enough

Even though malicious SSO logins appeared in logs, many organizations lack the monitoring maturity to detect them in real time. Identity-aware anomaly detection is becoming non-negotiable.

Patch Speed as a Security Metric

The short window between disclosure and exploitation shows how patch latency directly translates into risk. Organizations that delay updates are effectively accepting intrusion as a possibility.

Lessons for Identity and Access Management

This breach aligns with a broader industry problem: fragmented IAM strategies. Without centralized visibility and strict privilege controls, a single bypass can unravel an entire security architecture.

Fact Checker Results

Vulnerability Details Accuracy

✅ CVE identifiers, affected products, and technical root causes align with Fortinet advisories.

Exploitation Claims Verification

✅ Arctic Wolf’s observations confirm active exploitation beginning December 12.

Mitigation and Patch Guidance

❌ Effectiveness depends on timely implementation; delayed upgrades remain a critical risk.

Prediction

Increased Targeting of Network Appliances

🔮 Attackers will continue focusing on firewalls and edge devices due to their privileged network position.

Stricter Defaults from Vendors

🔮 Vendors will face growing pressure to disable cloud-based admin access features by default.

Faster Weaponization of Disclosures

🔮 The gap between vulnerability disclosure and exploitation will shrink even further, forcing organizations to rethink patch timelines.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.digitaltrends.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon