Zero Day campaigns targeting Fortinet CVES CVE-2025-59718 and CVE-2025-59719
Targeted Sectors
· Finance
· Telecommunications0
· Government
· Energy
· Critical Infrastructure
Targeted Countries
· Germany
· France
· United Kingdom
· Netherlands
· Italy
· Spain
· Belgium
· Sweden
· United States
· Australia
BLUF
Unauthenticated remote attackers can bypass administrative authentication on Fortinet devices by submitting forged SAML response messages with spoofed cryptographic signatures. This allows full administrative access to the device GUI. The vulnerable feature, FortiCloud SSO, is often automatically enabled when a device is registered. Active exploitation was confirmed starting December 12, 2025, primarily to exfiltrate hashed configuration files.
CVE-2025-59718
FortiOS, FortiProxy, FortiSwitchManager
CVSS 3.1 Vector
· (9.1) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Nessus ID
213032
Is this on the KEV list?
· Yes
CISA patch by date
· December 23, 2025
Patching/Mitigation Data
Patch Release Date
· December 9, 2025
URL to patch
· hxxps://www.fortiguard.com/psirt/FG-IR-25-647
Mitigation Data
· Workaround: Disable FortiCloud SSO via CLI: config system global, set admin-forticloud-sso-login disable, end.
CVE-2025-59719
(FortiWeb)
CVSS 3.1 Vector
(9.1) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Nessus ID
213032
Is this on the KEV list?
· Yes
CISA patch by date
· December 23, 2025
Patching/Mitigation Data
Patch Release Date
· December 9, 2025
URL to patch
· hxxps://www.fortiguard.com/psirt/FG-IR-25-647
Workaround
· Disable administrative SSO login in the GUI under System -> Settings.
Date of First Reported Activity
· December 12, 2025
Date of Last Reported Activity Update
· December 16, 2025
APT Names
· No specific APT groups have been named at this time
Associated Criminal Organization Names
· No specific criminal organizations have been named at this time
Malware Names
· No custom malware deployed; actors utilize "Living-off-the-Land" techniques post-login.
Malware Samples
· No malware has been identified at this time
Tools Used
· Forged SAML Assertion Generators
· Python-based exploit scripts
Delivery Method
· Network-based direct exploitation of the administrative login interface (typically Port 443).
IOCs
Please keep in mind that IOCs are usually dynamic. They should be checked but generally used to identify patterns of behavior.
Attacker Ips
· 45.32.153.218
· 167.179.76.111.
Target Account
· The default admin account is the primary target for the bypass.
Audit Log Indicator
· Log entries showing successful login for admin via FortiCloud SSO from unexpected external IP addresses.
TTPs
Initial Access & Exploitation
· T1190: Exploit Public-Facing Application
o Attackers target management interfaces exposed to the internet, specifically those where FortiCloud SSO is enabled
· T1556.006: Modify Authentication Process (SAML Modification)
o Adversaries deliver a crafted SAML response message with a forged or improperly verified cryptographic signature. This allows the attacker to bypass the authentication routine and gain a valid administrative session.
· Targeting Default Accounts
o Exploitation efforts have predominantly targeted the "admin" account to achieve maximum privileges immediately upon bypass.
Execution & Persistence
· T1078.001 Valid Accounts (Default Accounts)
o After the bypass, attackers operate as a legitimate administrative user, blending in with standard management activity.
· T1133: External Remote Services
o Once administrative access is gained, actors may modify VPN policies or create new administrative accounts to ensure long-term, "authorized" remote access.
Collection & Exfiltration
· T1005: Data from Local System
o A primary objective observed in mid-December 2025 campaigns is the export of device configurations via the GUI.
· Credential Harvesting
o Threat actors exfiltrate these configuration files to extract hashed credentials. These hashes are then cracked offline to facilitate lateral movement into the internal network.
· T1041 Exfiltration Over C2 Channel
o Stolen configuration data is sent directly back to the attacker's infrastructure, often hosted on providers like The Constant Company (Vultr), BI Networks, and Kaopu Cloud
Impact
· Network Sabotage
o Administrative access allows attackers to disable inspection engines, introduce malicious routing rules, and push configuration changes across the switching infrastructure via FortiSwitchManager.
Key Detection & Mitigation Indicators
· Anomalous SSO Logins: Monitor logs for successful "FortiCloud SSO" logins for the admin account originating from unknown hosting provider IPs (e.g., 45.32.153.218, 167.179.76.111).
Suggested Rules/ potential hunts
These are indicator rules they are likely to be noisy. For easiest results perform investigaitons via data models.
Suricata Rule
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Exploit Fortinet FortiCloud SSO Auth Bypass (CVE-2025-59718)"; flow:established,to_server; content:"SAMLResponse="; http_client_body; pcre:"/ID=\"_bypass/i"; sid:202559718; rev:1;)
SentinelOne Query
Indicator == "SAML Bypass" AND ParentProcessName == "sslvpnd" OR ProcessName == "httpsd" AND Commandline Contains "saml/login"
Splunk Hunt
index=fortinet sourcetype=fortios_log action="login" msg="*FortiCloud SSO*" | stats count by user, src_ip, dst_ip | where NOT cidrmatch("Internal_Network_CIDR", src_ip)
References
Fortinet
· hxxps://www.fortiguard.com/psirt/FG-IR-25-647
ArticWolf
· hxxps://arcticwolf.com/resources/blog/cve-2025-59718-and-cve-2025-59719/
Bleeping Computer
· hxxps://www.bleepingcomputer.com/news/security/hackers-exploit-newly-patched-fortinet-auth-bypass-flaws/
Cyber Gov AU
· hxxps://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/critical-vulnerabilities-in-multiple-fortinet-products-forticloud-sso-login-authentication-bypass
