On December 9, 2025, Fortinet released a critical security advisory regarding two authentication bypass vulnerabilities, CVE-2025-59718 and CVE-2025-59719, affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. These flaws allow unauthenticated attackers to gain administrative access by exploiting improper cryptographic signature verification in the FortiCloud SSO login process.
Just days after the disclosure, active exploitation was reported, and CISA added the flaws to its Known Exploited Vulnerabilities (KEV) catalog. This incident once again highlights a recurring pattern in Fortinet vulnerabilities: management interfaces exposed to the internet and long-standing configuration issues becoming a gateway for enterprise-wide compromise. This article analyzes the technical risks of these flaws and explains why organizations must shift toward an Attack Surface Management (ASM)-driven defense strategy.
FortiCloud SSO Authentication Bypass Vulnerability Overview
- CVE-2025-59718
- Affects: FortiOS, FortiProxy, FortiSwitchManager
- CVE-2025-59719
- Affects: FortiWeb
Both vulnerabilities stem from improper verification of cryptographic signatures in SAML response messages. By sending a specially crafted SAML message, an unauthenticated attacker can trick the device into granting an administrative session without completing the normal authentication flow.
Fortinet noted that FortiCloud SSO login is disabled by default in factory settings. However, a critical operational detail significantly expands the attack surface:
when a device is registered to FortiCare via the GUI, the FortiCloud SSO login feature can become automatically enabled unless administrators explicitly disable the “Allow administrative login using FortiCloud SSO” option.
As a result, many organizations may unknowingly meet the conditions required for exploitation, even without intentionally deploying SSO-based administration.
Observed Attack Flow and Impact
Attackers began opportunistic scanning and exploitation as early as December 12, 2025. The attack flow generally follows these steps:
- Identification of Exposed Management Interfaces: Attackers scan the public internet for Fortinet devices with reachable GUIs.
- Authentication Bypass: A crafted SAML message is sent to the admin account endpoint.
- Configuration Exfiltration: Upon gaining access, attackers immediately export the device configuration files via the GUI.
- Credential Cracking: Although passwords in the configuration are hashed, attackers conduct offline dictionary attacks to crack weak credentials, leading to persistent access even after the initial vulnerability is patched.
As of December 22, 2025, more than 400 assets remained vulnerable to CVE-2025-59718, despite patches being publicly available.
https://www.criminalip.io/asset/search?query=cve_id%3ACVE-2025-59718
Why Fortinet Edge Vulnerabilities Continue to Be Exploited
The FortiCloud SSO authentication bypass is not an isolated incident. Recent Fortinet vulnerabilities have repeatedly followed the same pattern: public disclosure, rapid emergence of exploitation techniques, and attacks targeting exposed edge devices.
In many cases, the root cause is not only the vulnerability itself, but externally exposed management services combined with configuration drift in operational environments.
Across multiple real-world incidents, attackers have consistently prioritized externally reachable edge infrastructure, using exposed management access as a low-friction method to establish initial control.
From Vulnerability Awareness to Attack Surface Visibility
Traditional vulnerability management focuses on identifying affected versions and applying patches, but this approach assumes organizations have clear visibility into which assets are externally reachable at the time of disclosure. During active exploitation, many security teams struggle to quickly determine which management interfaces are actually exposed and exploitable, creating a gap between vulnerability awareness and real-world risk.
Attack Surface Management (ASM) addresses this challenge by continuously identifying externally exposed assets from an attacker’s perspective. In the context of the FortiCloud SSO authentication bypass, an ASM-driven approach enables security teams to verify whether Fortinet management interfaces and SSO-related endpoints are reachable from the internet, correlate exposure conditions with known vulnerabilities, and prioritize remediation based on actual exposure rather than assumptions.
Key ASM Capabilities Relevant to Fortinet Edge Infrastructure
In incidents such as the FortiCloud SSO authentication bypass, attackers did not rely solely on the vulnerability itself. Instead, they focused on externally exposed management interfaces and misconfigurations that persisted after disclosure. The following four ASM capabilities are particularly relevant for mitigating Fortinet-related risks.
- Continuous Discovery of Newly Exposed Assets
- Newly exposed or modified Fortinet assets are automatically detected, enabling security teams to quickly identify management interfaces that become internet-reachable due to configuration or operational changes.
- Identification of Exposed Management Interfaces
- Externally accessible Fortinet administrative GUIs, VPN portals, and SSO-related endpoints are identified as high-risk entry points most likely to be targeted for initial access.
- Correlation Between External Exposure and Known Vulnerabilities
- Externally exposed Fortinet assets are correlated with relevant CVEs, allowing remediation efforts to be prioritized based on real-world exploitability rather than theoretical severity.
- Validation of Remediation Effectiveness
- ASM verifies whether patching or configuration changes have actually reduced external exposure, helping ensure that management interfaces remain inaccessible to attackers after remediation.
FAQ
Q1. If FortiCloud SSO is disabled by default, why are these vulnerabilities still being exploited?
Although FortiCloud SSO is disabled in factory default settings, real-world environments often diverge from defaults. During FortiCare registration or routine administrative workflows, the FortiCloud SSO login feature may be unintentionally enabled unless explicitly disabled by administrators.
As a result, many organizations unknowingly satisfy the conditions required for exploitation, especially when management interfaces remain externally accessible.
Q2. Is ASM still necessary after applying the official patches?
Yes. Patching is inherently reactive and addresses only known vulnerabilities at a specific point in time. In contrast, Attack Surface Management (ASM) provides continuous visibility into external exposure, allowing organizations to detect configuration drift and ensure that management interfaces are not unintentionally re-exposed through operational changes, maintenance activities, or future zero-day vulnerabilities.
Conclusion
The FortiCloud SSO authentication bypass (CVE-2025-59718/CVE-2025-59719) is a prime example of why modern cybersecurity must go beyond simple patch management. The intersection of a critical software flaw and unintentional external exposure creates a high-risk environment that attackers are quick to exploit.
By shifting toward an Attack Surface Management-Driven Defense, organizations can gain the visibility needed to identify unmanaged interfaces and correct configuration drift before they are discovered by threat actors. Protecting the network edge is no longer just about the strength of the firewall; it is about knowing exactly where that edge is and ensuring it is not unnecessarily exposed.
In relation to this, you can refer to Asahi GHD Ransomware Incident: VPN Exploitation Case and ASM-Based Prevention Strategies.
To explore an Attack Surface Management demo and gain visibility into external exposure within your environment, please contact us using the button below.
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Sign up for a free Criminal IP account today to explore the search results mentioned in the report and delve into comprehensive threat intelligence.
Source: Criminal IP (https://www.criminalip.io), BleepingComputer (https://www.bleepingcomputer.com/news/security/fortinet-warns-of-critical-forticloud-sso-login-auth-bypass-flaws/)
Related Article: https://www.criminalip.io/knowledge-hub/blog/31556