Fortinet Firewall Vulnerabilities Exploited in Active Attacks
Attackers are actively exploiting a recently disclosed vulnerability (CVE-2025-59718) to bypass authentication on Fortinet’s FortiGate firewalls, enabling them to export sensitive system configuration files. Arctic Wolf researchers reported the campaign on Tuesday, warning that stolen configurations may contain network infrastructure details, security policies, and encrypted credentials—data that could facilitate future attacks.
The vulnerability, along with a related flaw (CVE-2025-59719), stems from improper cryptographic signature verification. Both can be exploited by sending a crafted SAML response to a vulnerable device, tricking it into granting unauthorized access. CVE-2025-59718 affects FortiOS (FortiGate), FortiProxy, and FortiSwitchManager, while CVE-2025-59719 impacts FortiWeb.
Fortinet disclosed the vulnerabilities on December 9, 2025, and released patches, advising customers to upgrade or disable the FortiCloud SSO login feature if enabled. The flaw is not active by default but can be triggered if administrators register devices to FortiCare without disabling the "Allow administrative login using FortiCloud SSO" option.
Arctic Wolf observed intrusions beginning December 12, with attackers using malicious SSO logins—primarily targeting the admin account—before exfiltrating configurations via the GUI. The attacks originated from IP addresses linked to multiple hosting providers.
CISA has added CVE-2025-59718 to its Known Exploited Vulnerabilities catalog, mandating U.S. federal agencies to remediate the flaw by December 23, 2025. Organizations using affected Fortinet products are advised to check logs for suspicious activity and reset compromised credentials if breaches are detected.
Source: https://www.helpnetsecurity.com/2025/12/17/fortigate-vulnerability-cve-2025-59718-exploited/
Fortinet cybersecurity rating report: https://www.rankiteo.com/company/fortinet
Arctic Wolf cybersecurity rating report: https://www.rankiteo.com/company/arcticwolf
"id": "FORARC1765986943",
"linkid": "fortinet, arcticwolf",
"type": "Vulnerability",
"date": "12/2025",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'customers_affected': 'Organizations using FortiGate '
'firewalls with FortiCloud SSO '
'enabled',
'industry': 'Cybersecurity, Network Security',
'location': 'Global',
'name': 'Fortinet',
'size': 'Large',
'type': 'Vendor'}],
'attack_vector': 'SAML Response Manipulation',
'customer_advisories': 'Fortinet customers urged to upgrade or disable '
'FortiCloud SSO and check logs for suspicious '
'activity.',
'data_breach': {'data_encryption': 'Data was encrypted/hashed (but may be '
'cracked)',
'data_exfiltration': 'Yes (configuration files exported to '
'attacker-controlled IPs)',
'file_types_exposed': 'Configuration files',
'sensitivity_of_data': 'High (contains hashed credentials and '
'network details)',
'type_of_data_compromised': 'System configuration files '
'(network/infrastructure details, '
'firewall policies, '
'encrypted/hashed passwords)'},
'date_detected': '2025-12-12',
'date_publicly_disclosed': '2025-12-09',
'description': 'Attackers are exploiting a recently revealed vulnerability '
'(CVE-2025-59718) to bypass authentication on Fortinet’s '
'FortiGate firewalls and export system configuration files. '
'The configuration files may expose sensitive network and '
'infrastructure details, firewall policies, encrypted/hashed '
'passwords, and other data useful for future attacks.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'security breach',
'data_compromised': 'System configuration files '
'(network/infrastructure details, firewall '
'policies, encrypted/hashed passwords)',
'identity_theft_risk': 'High (if hashed credentials are cracked)',
'operational_impact': 'Potential unauthorized access to network '
'infrastructure',
'systems_affected': 'FortiGate firewalls, FortiProxy, '
'FortiSwitchManager, FortiWeb'},
'initial_access_broker': {'entry_point': 'SAML response manipulation via '
'CVE-2025-59718',
'high_value_targets': 'Admin accounts on FortiGate '
'firewalls'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Organizations should promptly patch vulnerabilities, '
'disable unnecessary features (e.g., FortiCloud SSO if '
'unused), limit access to management interfaces, and '
'monitor for suspicious activity.',
'motivation': 'Data Exfiltration, Credential Harvesting',
'post_incident_analysis': {'corrective_actions': 'Patch management, feature '
'disablement, credential '
'resets, access '
'restrictions, and enhanced '
'monitoring.',
'root_causes': 'Improper verification of '
'cryptographic signatures in SAML '
'responses '
'(CVE-2025-59718/CVE-2025-59719)'},
'recommendations': ['Upgrade to a non-vulnerable version of '
'FortiOS/FortiProxy/FortiSwitchManager/FortiWeb.',
'Disable FortiCloud SSO login feature if not in use.',
'Reset hashed credentials if configuration files were '
'exfiltrated.',
'Limit access to management interfaces to trusted '
'internal users.',
'Monitor logs for suspicious logins and indicators of '
'compromise.'],
'references': [{'source': 'Arctic Wolf'},
{'source': 'Fortinet Security Advisory'},
{'source': 'CISA Known Exploited Vulnerabilities Catalog'}],
'regulatory_compliance': {'regulatory_notifications': 'CISA added '
'CVE-2025-59718 to '
'Known Exploited '
'Vulnerabilities '
'catalog (remediation '
'deadline: 2025-12-23 '
'for US federal '
'agencies)'},
'response': {'communication_strategy': 'Public disclosure by Fortinet and '
'Arctic Wolf, CISA advisory',
'containment_measures': 'Check logs for suspicious logins, reset '
'compromised credentials, limit access '
'to management interfaces',
'enhanced_monitoring': 'Recommended to check logs for indicators '
'of compromise',
'network_segmentation': 'Recommended to limit access to '
'management interfaces',
'remediation_measures': 'Upgrade to a fixed version of '
'FortiOS/FortiProxy/FortiSwitchManager/FortiWeb '
'or disable FortiCloud SSO login feature',
'third_party_assistance': 'Arctic Wolf (research and advisory)'},
'stakeholder_advisories': 'Fortinet and Arctic Wolf have issued advisories; '
'CISA has mandated remediation for US federal '
'agencies.',
'title': 'Exploitation of CVE-2025-59718 to Bypass Authentication on Fortinet '
'FortiGate Firewalls',
'type': 'Authentication Bypass',
'vulnerability_exploited': ['CVE-2025-59718', 'CVE-2025-59719']}