editorially independent. We may make money when you click on links
to our partners.
Learn More
Threat actors are actively exploiting critical vulnerabilities in Fortinet security products to bypass authentication controls and gain full administrative access to exposed systems.
The flaws impact widely deployed Fortinet appliances, including FortiWeb and FortiCloud-integrated products, placing internet-facing environments at immediate risk.
The vulnerabilities “… may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message,” said Fortinet in its advisory.
Fortinet Edge Appliances Targeted by Active Exploits
These vulnerabilities affect edge security appliances that sit in highly privileged network positions, including web application firewalls and identity-integrated platforms.
Successful exploitation allows attackers to create rogue administrator accounts or bypass authentication entirely — without credentials — giving them direct control over security infrastructure designed to protect enterprise networks.
Fortinet confirmed exploitation of CVE-2025-64446, a FortiWeb path traversal flaw, while CISA added both CVE-2025-64446 and CVE-2025-59718 to its Known Exploited Vulnerabilities (KEV) catalog.
FortiWeb GUI API Flaw Enables Admin Account Creation
CVE-2025-64446 is a critical path traversal vulnerability in FortiWeb’s GUI API that allows unauthenticated attackers to access privileged CGI functionality.
Researchers demonstrated that specially crafted requests can traverse directories and directly reach the fwbcgi binary, bypassing intended access controls.
Once accessed, the CGI handler performs two insufficient checks — one for input validation and another for authentication.
Attackers can satisfy both conditions by supplying a valid JSON payload and spoofing administrator credentials using a Base64-encoded CGIINFO header.
This allows attackers to submit requests that create new administrator accounts with prof_admin privileges, unrestricted host access (0.0.0.0/0), and attacker-controlled passwords.
How CVE-2025-59718 Enables Fortinet Account Takeover
In parallel with other Fortinet-related threat activity, CISA has confirmed active exploitation of CVE-2025-59718, a critical authentication bypass vulnerability affecting FortiCloud Single Sign-On (SSO).
The vulnerability originates from improper validation of cryptographic signatures within SAML-based authentication flows.
FortiCloud SSO uses SAML assertions to establish trust between identity providers and Fortinet services, but flawed verification logic prevents proper validation of their authenticity and integrity.
By abusing this weakness, an attacker can craft malicious SAML authentication responses that are accepted as legitimate despite lacking a valid cryptographic signature or originating from an authorized identity provider.
This allows unauthenticated remote attackers to bypass FortiCloud SSO entirely and impersonate legitimate users or services without supplying valid credentials.
Once the authentication boundary is breached, attackers can gain direct access to Fortinet products integrated with FortiCloud SSO, including FortiOS, FortiProxy, FortiSwitchMaster, and FortiWeb.
Because FortiCloud SSO functions as a federated identity layer, a single successful bypass can provide attackers with broad access across multiple platforms and managed environments rather than limiting exposure to a single device.
Exploitation of CVE-2025-59718 enables attackers to manipulate configurations, modify security policies, intercept or reroute traffic, and establish persistent access across large numbers of Fortinet devices.
A closely related vulnerability, CVE-2025-59719, shares the same underlying root cause involving improper SAML signature handling, and Fortinet has advised that both issues must be patched together to fully remediate the authentication bypass condition.
How to Reduce Risk From Fortinet Exploits
The following mitigations outline practical steps organizations can take to reduce exposure and detect misuse.
- Immediately upgrade to fixed Fortinet versions and retire or isolate any end-of-life products that no longer receive security updates.
- If patching is delayed, disable HTTP and HTTPS access on all internet-facing management interfaces and restrict management-plane access to trusted networks only.
- Review device and FortiCloud logs for signs of exploitation, including suspicious fwbcgi activity, anomalous POST requests, path traversal attempts, and unexpected administrator accounts.
- Limit FortiCloud SSO exposure by tightening identity trust relationships, rotating SSO credentials or certificates, and disabling SSO integrations where operationally feasible.
- Segment and protect management interfaces using zero-trust principles, least-privilege administrative roles, and upstream controls such as allowlisting, rate limiting, or WAF protections.
- After remediation, invalidate active SSO sessions and conduct targeted threat hunting for unauthorized configuration changes, policy modifications, or persistence mechanisms.
Together, these mitigations help strengthen cyber resilience by reducing identity-driven risk and limiting blast radius.
These incidents highlight an ongoing security reality: edge infrastructure and identity-integrated platforms continue to be prime targets for attackers seeking fast, low-friction access into enterprise environments.
These trends reinforce the case for zero-trust approaches that eliminate implicit trust and reduce reliance on traditional network boundaries.
