Blog
Home

Fortinet in 2025: What it is, why it matters, and the FortiCloud SSO bypass everyone’s patching right now

As of 18 December 2025 (UK time), Fortinet is in the spotlight because two critical vulnerabilities affecting FortiGate/FortiOS (and related products) are being exploited in the wild. If your organisation runs Fortinet at the network edge, this is a “patch + verify compromise” moment.

12/18/20253 min read

What is Fortinet?

Fortinet is one of the biggest names in enterprise cybersecurity, best known for FortiGate, a next-generation firewall (NGFW) platform that often sits at the internet edge of a company’s network. FortiGate commonly bundles firewalling with things like VPN, routing, and SD-WAN—which makes it hugely popular, but also a high-value target.

Fortinet’s “platform” approach (Security Fabric)

Fortinet markets its broader ecosystem as the Fortinet Security Fabric: an integrated platform designed to connect networking + security controls and manage them consistently (policies, telemetry, response).

That platform angle matters because when a vulnerability hits a “core” component (like FortiOS), the impact can ripple across the devices and services that depend on it.

Why Fortinet is in the news right now

Two vulnerabilities—both described as improper verification of cryptographic signatures (CWE-347)—allow attackers to bypass FortiCloud SSO login authentication using a crafted SAML response message:

  • CVE-2025-59718 (affects FortiOS, FortiProxy, FortiSwitchManager).

  • CVE-2025-59719 (affects FortiWeb).

Multiple national cyber agencies and health-sector alerting bodies have issued guidance (e.g., Canada’s Cyber Centre; NHS England Digital; Singapore CSA).

A quick timeline (so it’s easier to reason about urgency)

  • 9 Dec 2025: Fortinet advisory released; patches start landing (covered widely by vendors/press).

  • 12 Dec 2025: Arctic Wolf reports seeing intrusions using malicious SSO logins. Arctic Wolf

  • 15 Dec 2025: Canada Cyber Centre publishes AL25-019 with patch targets and mitigation advice.

  • 16–18 Dec 2025: More reporting + incident-response guidance as exploitation evidence grows.

Who is affected?

The big “gotcha” here: devices are only exploitable if FortiCloud SSO admin login is enabled—but several sources warn it can end up enabled during FortiCare registration via the GUI unless you explicitly opt out.

Affected versions (high level)

Canada’s Cyber Centre lists patch targets clearly (same targets are echoed by Arctic Wolf):

  • FortiOS: upgrade to 7.6.4+, 7.4.9+, 7.2.12+, 7.0.18+

  • FortiProxy: 7.6.4+, 7.4.11+, 7.2.15+, 7.0.22+

  • FortiSwitchManager: 7.2.7+, 7.0.6+

  • FortiWeb: 8.0.1+, 7.6.5+, 7.4.10+

Singapore CSA also summarises the affected branches and repeats the same workaround guidance

What’s actually happening in the attacks?

The simple version

SAML-based SSO relies on signed assertions. If a product doesn’t correctly verify the signature, an attacker may be able to send a forged SAML response and get treated as a legitimate user—potentially even admin.

The observed intrusion pattern (important)

Arctic Wolf describes a very consistent flow they observed:

  1. “Admin login successful” where the UI/method indicates SSO, and the user is often admin

  2. Shortly afterward, an action like downloading/exporting the system configuration via the GUI.

Why the config download matters: configuration exports can reveal network layout, policies, routing, exposed interfaces, and can include hashed credentials that attackers may crack offline if weak.

What to do now (defender checklist)

1) Patch first (edge devices are priority zero)

If you run any affected versions, upgrade to the fixed versions listed above. Canada’s Cyber Centre provides a branch-by-branch table that’s easy to hand to operations teams.

2) If you can’t patch immediately: disable FortiCloud SSO admin login

Both Singapore CSA and Arctic Wolf recommend turning off the FortiCloud login feature temporarily until you can upgrade.

GUI path:

  • System → Settings → “Allow administrative login using FortiCloud SSO” → Off

FortiGate / FortiOS SSO Vulnerability Explained: Patching, Mitigation, and Detection

3) Hunt for indicators of compromise (IOCs)

Look for this pairing in a tight time window:

  • Successful admin login with method/UI = SSO

  • Followed by config download/export actions (often to the same source IP)

4) If you find evidence: treat it like credential exposure

Arctic Wolf explicitly recommends assuming hashed credentials in exfiltrated configs may be compromised and reset/rotate credentials ASAP.

5) Reduce blast radius permanently (post-patch hardening)

This incident is another reminder: management interfaces for firewall/VPN appliances should be reachable only from trusted networks (jump hosts, VPN admin segments, allowlists). Arctic Wolf calls this out as a key best practice