Cyber defenders worldwide are scrambling after confirmation that critical authentication bypass vulnerabilities in multiple Fortinet products are being actively exploited by threat actors. Tracked as CVE-2025-59718 and CVE-2025-59719, these flaws allow unauthenticated attackers to bypass Single Sign-On (SSO) protections on Fortinet infrastructure and gain administrative access under certain configurations. CISA has added CVE-2025-59718 to its Known Exploited Vulnerabilities catalogue, underscoring the real-world risk.
What’s happening
On 9 December 2025, Fortinet released advisories detailing two critical authentication bypass vulnerabilities affecting several core products, including:
• FortiOS (used on FortiGate firewalls)
• FortiWeb (Web Application Firewall)
• FortiProxy (secure web gateway)
• FortiSwitchManager (management for FortiSwitch devices)
These vulnerabilities arise from improper verification of cryptographic signatures, meaning crafted SAML messages can trick affected devices into granting access to the management interface without valid credentials — if the FortiCloud SSO login feature is enabled.
Security researchers, including Arctic Wolf, report that malicious SSO logins have been observed in the wild, with attackers authenticating as administrators and exporting configuration files that may contain hashed credentials and sensitive network information.
Why this matters to Australian MSPs and SMEs
Fortinet appliances – especially FortiGate firewalls and related management products – are widely deployed across MSP-managed networks, SME infrastructure stacks and regulated mid-market environments in Australia. An authentication bypass on these devices can have significant consequences:
• Unauthorized administrative access to network perimeter devices
• Lateral movement into internal systems once inside
• Exfiltration of sensitive configurations and credentials
• Extended dwell time and follow-on attacks such as ransomware or data theft
With the holiday period approaching — when many organisations reduce staff and delay patching — the urgency is amplified. Unpatched appliances with SSO enabled present an attractive low-effort attack vector during times of reduced vigilance.
How attackers are bypassing Fortinet SSO
The root cause of both CVEs is improper cryptographic signature validation in the FortiCloud SSO component. When enabled, FortiCloud SSO is designed to streamline authentication by delegating login decisions to the cloud. However, if signature verification is flawed, an attacker can craft a Security Assertion Markup Language (SAML) response that appears legitimate, allowing a bypass of normal authentication checks.
FortiCloud SSO is disabled by default on fresh installations, but it is often automatically enabled when administrators register devices to FortiCare via the GUI unless explicitly turned off. This increases the likelihood that real-world deployments are exposed.
What organisations should do now
- Patch immediately
Fortinet has released fixed versions for all affected products. Organisations should prioritise upgrading to these versions without delay. - Disable FortiCloud SSO where enabled
If immediate patching isn’t possible, temporarily disable the FortiCloud SSO administrative login function until updates can be applied. - Review logs & hunt for signs of compromise
Look for unexpected administrative logins, especially from unfamiliar sources, and investigate potential export of configuration files. Exported configs can contain hashed credentials that attackers often crack offline. - Reset credentials and audit access
If any exploitation is suspected, initiate credential resets, review account privileges, and tighten access control to device management interfaces. - Adjust patching and detection playbooks
Update internal patch management processes to prioritise authentication bypass and known exploited vulnerabilities. Enhance detection rules for suspicious SAML and SSO activity.
Implications for MSPs and security partners
Managed Service Providers should treat this as a top-tier operational priority:
• Include these CVEs in monthly patch windows or emergency patch cycles.
• Validate that multi-tenant firewalls and appliances under management are at fixed versions.
• Communicate clear timelines to clients for patching and configuration review before service windows close for the holidays.
• Tighten monitoring around authentication activity on network edge devices.
Australian SOC and IR teams should also consider aligning detection tools to watch for SSO irregularities and known Indicators of Compromise.
Fix Now, Verify Later
These Fortinet vulnerabilities represent a high-impact, fast-exploited weakness in products trusted by thousands of organisations. With confirmation of exploitation and CISA’s inclusion of CVE-2025-59718 in the KEV catalog — meaning federal bodies in the US have strict patch deadlines — there’s no room for complacency.
For Australian teams, especially MSPs and SME operators, this highlights an ongoing reality: endpoint and identity controls are only as strong as their weakest configuration. A properly patched and configured Fortinet deployment is a defended one — but unpatched SSO bypass flaws turn gateways into entry points.
