On December 12, 2025, Arctic Wolf began observing intrusions involving malicious SSO logins on FortiGate appliances. Fortinet had previously released an ?for two critical authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) on December 9, 2025. Arctic Wolf had also sent out a?security bulletin?for the vulnerabilities shortly thereafter.?
These vulnerabilities allow unauthenticated bypass of SSO login authentication via crafted SAML messages, if the?FortiCloud?SSO feature is enabled on affected Devices. Several product lines were reported to be affected, including?FortiOS,?FortiWeb,?FortiProxy, and?FortiSwitchManager.?
In their recent advisory, Fortinet?stated?that?FortiCloud?SSO login is disabled by default in factory settings. However, when administrators register devices using?FortiCare?through the GUI,?FortiCloud?SSO is enabled upon registration unless the “Allow administrative login using?FortiCloud?SSO” setting is disabled on the registration page.?
Technical Details
In recently observed intrusions, malicious SSO logins on FortiGate devices originated from a handful of hosting providers, listed in the table below.
| IOC? | Hosting Provider? |
| 45.32.153[.]218? | The Constant Company?llc? |
| 167.179.76[.]111? | The Constant Company?llc? |
| 199.247.7[.]82? | The Constant Company?llc? |
| 45.61.136[.]7? | Bl Networks? |
| 38.54.88[.]203? | Kaopu?Cloud?Hk?Limited? |
| 38.54.95[.]226? | Kaopu?Cloud?Hk?Limited? |
| 38.60.212[.]97? | Kaopu?Cloud?Hk?Limited? |
Malicious logins were typically against the admin?account, as shown in the example log line below:?
date=2025-12-12 time=REDACTED devname=REDACTED devid=REDACTED eventtime=REDACTED tz=REDACTED logid="0100032001" type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn=REDACTED user="admin" ui="sso(199.247.7[.]82)" method="sso" srcip=199.247.7[.]82 dstip=REDACTED action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from sso(199.247.7[.]82)"
Following malicious SSO logins, configurations were exported to the same IP addresses via the GUI interface.?
date=2025-12-12 time=REDACTED devname=REDACTED devid=REDACTED eventtime=REDACTED tz=REDACTED logid="0100032095" type="event" subtype="system" level="warning" vd="root" logdesc="Admin performed an action from GUI" user="admin" ui="GUI(199.247.7[.]82)" action="download" status="success" msg="System config file has been downloaded by user admin via GUI(199.247.7[.]82)"
Note:?Arctic Wolf has detections in place to?identify?potential?exploitation and?will continue to alert customers if?additional?instances are?identified.?
Recommendations
Reset Firewall Credentials if Affected
Although credentials are typically hashed in network appliance configurations, threat actors are known to crack hashes offline, especially if credentials are weak and susceptible to dictionary attacks.?
If you observe malicious activity similar to the malicious logs described in this security bulletin, assume that hashed firewall credentials stored in the exfiltrated configurations have been compromised, and reset those credentials as soon as possible.?
Limit Access to Management Interfaces of Firewall and VPN Appliances to Trusted Internal Users
Threat actors commonly target management interfaces of firewalls and VPNs for mass exploitation, often relying on specialized search engines that?facilitate?identification of specific hardware configurations.?
In the last few years, Arctic Wolf?observed?multiple?campaigns targeting management interfaces on firewalls and VPN gateways. Consider restricting all?firewall?management interface access to trusted internal networks as a security best security practice across all?firewall?configurations, regardless of network appliance vendor.?
Upgrade to Latest Fixed Version
Arctic Wolf?strongly recommends?that customers upgrade to the latest fixed version of affected Fortinet products.?
| Product? | Affected Version? | Fixed Version? |
| FortiOS?7.6? | 7.6.0 through 7.6.3? | 7.6.4 or above? |
| FortiOS?7.4? | 7.4.0 through 7.4.8? | 7.4.9 or above? |
| FortiOS?7.2? | 7.2.0 through 7.2.11? | 7.2.12 or above? |
| FortiOS?7.0? | 7.0.0 through 7.0.17? | 7.0.18 or above? |
| FortiProxy?7.6? | 7.6.0 through 7.6.3? | 7.6.4 or above? |
| FortiProxy?7.4? | 7.4.0 through 7.4.10? | 7.4.11 or above? |
| FortiProxy?7.2? | 7.2.0 through 7.2.14? | 7.2.15 or above? |
| FortiProxy?7.0? | 7.0.0 through 7.0.21? | 7.0.22 or above? |
| FortiSwitchManager?7.2? | 7.2.0 through 7.2.6? | 7.2.7 or above? |
| FortiSwitchManager?7.0? | 7.0.0 through 7.0.5? | 7.0.6 or above? |
| FortiWeb?8.0? | 8.0.0? | 8.0.1 or above? |
| FortiWeb?7.6? | 7.6.0 through 7.6.4? | 7.6.5 or above? |
| FortiWeb?7.4? | 7.4.0 through 7.4.9? | 7.4.10 or above? |
Note: The following products are unaffected by the vulnerabilities:?FortiOS?6.4,?FortiWeb?7.0, and?FortiWeb?7.2.?
Workaround?
Fortinet recommends turning off the?FortiCloud?login feature (if enabled) temporarily until upgrading to a non-affected version.?
To turn off?FortiCloud?login, go to System -> Settings -> Switch “Allow administrative login using?FortiCloud?SSO” to Off.?
Or type the following command in the CLI:?
config system global set admin-forticloud-sso-login?disable end
References
