The SSO Trap: How a “Default” Feature is Granting Attackers Admin Access to FortiGate Devices

Arctic Wolf reports the first confirmed intrusions into customer networks in which attackers logged into FortiGate devices via FortiCloud SSO shortly after the disclosure of two critical authentication-bypass vulnerabilities—CVE-2025-59718 and CVE-2025-59719. According to the company, suspicious activity began on December 12, 2025, while Fortinet’s advisories addressing the issues were published on December 9.

Both vulnerabilities allow an unauthenticated attacker to circumvent SSO authentication using specially crafted SAML messages, provided that FortiCloud SSO is enabled on the device. Multiple Fortinet product lines are affected, including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. Fortinet notes that FortiCloud SSO login is disabled by default; however, when a device is registered through FortiCare, FortiCloud SSO is automatically enabled unless the administrator explicitly disables the option Allow administrative login using FortiCloud SSO during registration.

In the incidents observed, Arctic Wolf notes that the malicious SSO logins to FortiGate originated from a small set of hosting providers. Log data indicates that attackers typically authenticated as the admin user via SSO and then exported the device configuration through the web interface to specific IP addresses—an action recorded in events such as System config file has been downloaded by user admin via GUI.

In its guidance, Arctic Wolf emphasizes that any configuration files exfiltrated by attackers must be considered compromised. Although passwords in network device configurations are typically hashed, adversaries frequently attempt offline cracking—especially when passwords are weak and susceptible to dictionary attacks. The firm also recommends restricting access to firewall and VPN management interfaces to trusted internal networks only, as large-scale exploitation campaigns often rely on discovering exposed devices through specialized search engines.

Specific remediation versions are provided. For FortiOS 7.6, versions 7.6.0–7.6.3 are vulnerable (fixed in 7.6.4+); for 7.4, versions 7.4.0–7.4.8 (fixed in 7.4.9+); for 7.2, versions 7.2.0–7.2.11 (fixed in 7.2.12+); and for 7.0, versions 7.0.0–7.0.17 (fixed in 7.0.18+). Similar ranges are listed for FortiProxy (7.6.0–7.6.3 → 7.6.4+, 7.4.0–7.4.10 → 7.4.11+, 7.2.0–7.2.14 → 7.2.15+, 7.0.0–7.0.21 → 7.0.22+), FortiSwitchManager (7.2.0–7.2.6 → 7.2.7+, 7.0.0–7.0.5 → 7.0.6+), and FortiWeb (8.0.0 → 8.0.1+, 7.6.0–7.6.4 → 7.6.5+, 7.4.0–7.4.9 → 7.4.10+). Fortinet further clarifies that FortiOS 6.4, FortiWeb 7.0, and FortiWeb 7.2 are not affected.

As a temporary mitigation, Fortinet advises disabling FortiCloud login if it is enabled until devices can be updated to a secure version. This can be done via System → Settings by switching Allow administrative login using FortiCloud SSO to Off, or by issuing the following CLI commands:

config system global
set admin-forticloud-sso-login disable
end

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy