In the cybersecurity world, the time between a “patch released” announcement and an “active attack started” warning is getting shorter and shorter. Two critical vulnerabilities (CVE-2025-59718 and CVE-2025-59719) affecting Fortinet devices, which Fortinet announced last week, were actively exploited by threat actors as of December 12, 2025, less than a week after their disclosure.
Details of the Vulnerability
Technical Basis of the Vulnerability: “Fake Identity, Invalid Signature”
These vulnerabilities (in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager) stem from a critical failure in cryptographic signature verification, rather than a classic coding error.
How Does the Attack Mechanism Work?
Attackers exploit a flaw in how the target system processes SAML (Security Assertion Markup Language) responses.
- Manipulation: The attacker creates a specially crafted SAML message.
- Bypass: Because the system cannot properly verify the cryptographic signature in this message, it accepts the attacker’s identity as valid.
- Result: The attacker logs into the system directly with “admin” privileges, without needing any valid username or password.
- Critical Configuration Trap: Although the FortiCloud SSO feature appears “Disabled” by default, when an administrator registers a device with FortiCare, it automatically enables unless the “Allow administrative login using FortiCloud SSO” option on the registration page is manually disabled. This causes many administrators to unknowingly leave the door open.
Field Intelligence: What Are the Attackers Doing?
Data from our clients’ devices and global CTI sensors indicates that the attack evolved from a random scan into a targeted data theft campaign.
IP Addresses as IoC:
- 167.179.76[.]111
- 199.247.7[.]82
- 45.32.153[.]218
- 45.61.136[.]7
- 38.54.88[.]203
- 38.54.95[.]226
- 38.60.212[.]97
The IP addresses used in the attacks are associated with the following hosting/proxy providers:
- The Constant Company LLC
- Bl Networks
- Kaopu Cloud Hk Limited
Measures should be taken against traffic from these networks, and you can define a SIEM rule for this case.
Observed Attack Chain
First Access: Starting on December 12, 2025, attackers gained unauthorized access to FortiGate devices as “admin” using a SAML bypass method.
Target Action: After gaining access, the attackers’ primary goal was to Export Device Configuration (Export Configuration via GUI).
Why Configuration Files? These files contain network maps, VPN users, and, most importantly, hashed passwords. Attackers aim to penetrate deeper into the network by cracking these hashes offline (dictionary attacks).
Affected Versions and Patch Status
All systems using the following versions and with FortiCloud SSO enabled are at risk:
- FortiOS: Versions 7.4.0–7.4.4, 7.2.0–7.2.6, 7.0.0–7.0.14, and 6.4.0–6.4.14.
- FortiProxy & FortiWeb: All relevant sub-versions.
Secure Versions:
- FortiOS: 7.6.4, 7.4.9, 7.2.12, 7.0.18 or later.
- FortiWeb: 8.0.1 or later.
Emergency Action Plan and Improvement
In a state of active exploitation, there may not be time to plan for patching. In such a case, immediately take the following steps:
Step 1: Immediate Mitigation
Before installing the patch, disable the attack vector; disable the FortiCloud SSO feature from the device management panel or via the CLI.
CLI Command (Example):
config system admin
edit "admin"
unset forticloud-sso-login
endNote: This command may vary depending on the version; check FortiCare settings via the GUI.
Step 2: Isolate the Admin Interface
Admin panels (HTTPS/SSH) should never be open to the entire internet. Restrict access only to trusted internal IPs or the administration block behind a VPN.
Step 3: IoC Hunting
Firstly, if you have FortiCloud SSO service enabled on your system and security patches haven’t been applied yet, you might consider enabling “Assume Breach” procedures, assuming the device has been compromised.
- Look in the logs for suspicious SSO entries for the “admin” user (especially from the hosting providers mentioned above).
- Check configuration file downloads (configuration exports).
Step 4: Password Reset
If a breach is suspected, assume the attackers stole the configuration file and change all local user passwords, VPN passwords, and LDAP/RADIUS secrets.
Additional
This vulnerability serves as a reminder that Fortinet devices can be more than just a firewall; they can also be a key gateway to the network for attackers. You must keep your defenses up-to-date, optimizing your detection rules and SIEM correlation logic based on active attack indicators.
