With threat actors actively exploiting two critical Fortinet flaws just days after their disclosure, the race between patching and exploitation is on. We’re joined by Rupert Marais, our in-house security specialist with deep expertise in endpoint and device security, to break down the technical details of this SAML SSO bypass, the real-world impact of configuration exfiltration, and what CISA’s rapid response means for organizations everywhere. He’ll explore how a seemingly minor default setting can open the door to attackers and offer a glimpse into the future of identity-based threats targeting the network edge.
The report mentions attackers using crafted SAML messages for an SSO bypass. Could you walk us through how this technique works on a technical level, and why it allows attackers to not only log in but also immediately export device configurations?
Think of it as showing a perfectly forged ID to a bouncer who’s trained to check for authenticity but not to question the person holding it. SAML is a standard for exchanging authentication data, and in this case, the vulnerability, CVE-2025-59718, allows an attacker to create a specially crafted SAML message. This message essentially tricks the FortiGate device into believing the attacker has already been authenticated by a trusted identity provider. Because the device trusts the message, it grants them access without performing the actual login. Once they’re in, especially as the “admin” account, they have the highest level of privilege, and exporting the entire device configuration is a standard administrative function, just a few clicks in the GUI.
It’s noted that FortiCloud SSO is often enabled by default during FortiCare registration. Based on your experience, how frequently do administrators overlook this setting, and what specific steps should they take to audit their devices for this vulnerability right now?
It’s incredibly common for settings like this to be overlooked. During a device deployment, the primary goal is to get it operational and integrated into the network as quickly as possible. An administrator might go through the FortiCare registration process, see a pre-checked box for “Allow administrative login using FortiCloud SSO,” and just click “next” without a second thought. To audit this right now, teams need to log into their FortiGate appliances, navigate to the system settings related to FortiCloud, and explicitly disable that SSO login option until the device is patched. The immediate mitigation is to turn it off, but the permanent solution is applying the updates Fortinet released last week.
Arctic Wolf observed attackers targeting the “admin” account and exfiltrating configurations. Besides cracking hashed credentials, what other sensitive information could threat actors gain from these files, and what are the first three incident response actions a team should take upon discovery?
That configuration file is the crown jewels of your network’s perimeter defense. It contains so much more than just hashed credentials. An attacker gets a complete blueprint of your network topology, all the firewall rules, VPN tunnel configurations, and internal IP address schemes. It’s a roadmap for lateral movement. Upon discovering a compromise, the first action must be to assume full compromise and immediately reset all credentials stored in that exfiltrated configuration, especially if they are weak. Second, apply the patches for both CVE-2025-59718 and CVE-2025-59719 to prevent reentry. Third, you have to review logs from the attacker-controlled IP addresses—like those from Bl Networks or Kaopu Cloud Hk Limited—to determine the full scope of their activity post-breach.
CISA added this vulnerability to its KEV catalog just days after exploitation began, setting a tight deadline. What does this rapid response indicate about the perceived severity of this threat, and how does a KEV listing influence patching priorities for private-sector organizations?
CISA’s speed here is a massive red flag that screams urgency. They added this vulnerability on December 16th and gave federal agencies a deadline of December 23rd—that’s just one week. This tells us that the vulnerability is not only critical, with a CVSS score of 9.8, but it’s also being exploited actively and effectively in the wild. For private-sector organizations, a KEV listing is a powerful lever. While not mandatory for them, it serves as an authoritative warning that this isn’t a theoretical risk. It helps security teams cut through internal red tape, justify emergency patching windows, and elevate the priority of this fix above all other routine tasks.
What is your forecast for the exploitation of SSO and other identity-based vulnerabilities in network edge devices?
I firmly believe we are seeing a strategic shift in how attackers approach network infrastructure. They understand that identity is the new perimeter. Instead of just hammering on open ports, they are targeting the complex, and often fragile, trust relationships built into authentication protocols like SAML and SSO. Edge devices such as firewalls and VPNs are the perfect target because they are the gatekeepers. My forecast is that we will see a significant increase in vulnerabilities discovered and exploited in the identity and access management components of these devices. Securing how a user authenticates will become just as critical, if not more so, than securing the network ports themselves.
