Malicious SSO Logins Observed Following Disclosure of CVE-2025-59718 and CVE-2025-59719

Dec. 21, 2025, 7:05 p.m.

Description

On December 12, 2025, intrusions involving malicious SSO logins on FortiGate appliances were observed. These attacks followed Fortinet's disclosure of two critical authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) on December 9. The vulnerabilities allow unauthenticated bypass of SSO login authentication via crafted SAML messages when FortiCloud SSO is enabled. Affected products include FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. Malicious logins originated from specific hosting providers, targeting admin accounts. Configuration exports to the same IP addresses were also noted. Recommendations include resetting firewall credentials, limiting management interface access, upgrading to fixed versions, and disabling FortiCloud login if immediate upgrade is not possible.

External References

https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-sso-logins-following-disclosure-cve-2025-59718-cve-2025-59719
https://otx.alienvault.com/pulse/694080a4ab8b36bfbdc0748c
Tags
fortigate
authentication bypass
firewall
CVE-2025-59718
CVE-2025-59719
2025-12-15
forticloud

Date

  • Created: Dec. 15, 2025, 9:41 p.m.
  • Published: Dec. 15, 2025, 9:41 p.m.
  • Modified: Dec. 21, 2025, 7:05 p.m.

Indicators

  • 38.60.212.97
  • 38.54.88.203
  • 38.54.95.226
  • 45.61.136.7
Download all indicators here!

Attack Patterns

Linked vulnerabilities

CVE-2025-55182

10.0
    Facebook
  • React
    Vercel
Published: December 3, 2025

CVE-2025-59718

9.8
    Fortinet
  • Fortiproxy
  • Fortiswitchmanager
  • Fortios
Published: December 9, 2025

CVE-2025-59719

9.8
    Fortinet
  • Fortiweb
Published: December 9, 2025