Patch now! Attackers bypass authentication in Fortinet products

If SSO login is enabled in FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb, systems are vulnerable. Currently, attackers are exploiting two “critical” vulnerabilities in this context and attacking PCs.

Dangerous Vulnerabilities

By default, authentication via SSO is not active. Admins should quickly check if they are using SSO. If so, they should install the security updates available for a few days. If this is not done, attackers will exploit the vulnerabilities with prepared SAML messages (CVE-2025-59718, CVE-2025-59719), bypass authentication, and gain access to appliances.

Fortinet lists the vulnerable versions and the security updates in a warning message. FortiOS 6.4, FortiWeb 7.0, and 7.2 are not affected by the vulnerabilities. If an installation is not immediately possible, admins must temporarily disable SSO login to protect systems. This can be done via the command-line interface with these commands:

config system global

set admin-forticloud-sso-login disable

end

Background on Attacks

Security researchers from Arctic Wolf are warning about the attacks in a post. The extent to which the attacks are occurring is currently unknown. In their post, the security researchers list various parameters such as IP addresses where admins can identify already attacked instances.

If attacks have occurred, admins should reset all access credentials in addition to installing the patch. What attackers specifically do after a successful attack is currently unknown. In general, external access should be regulated via firewall rules and VPN tunnels.

(des)