Search
Breaking
Latest technical intelligence from Northeast India • Infrastructure, AI, Cloud & Security Analysis • Precision Analysis | Raw Intelligence | Your North Star of Tech • Latest technical intelligence from Northeast India • Infrastructure, AI, Cloud & Security Analysis
SECURITY

Analysis: Fortinet FortiGate Under Active Attack Through SAML SSO Authentication Bypass

✍️ By Connect Quest Blog Analytical Desk
📅 25-12-2025 07:09
Analytical - Independent Analysis
⏱️ 3 min read
Analysis: Fortinet FortiGate Under Active Attack Through SAML SSO Authentication Bypass Image: Stock - Security
Urgent Alert: Fortinet FortiGate Under Active Attack - Implications for North East India

Urgent Alert: Fortinet FortiGate Under Active Attack - Implications for North East India

Vulnerabilities Discovered and Exploited

In a significant cybersecurity development, threat actors have started exploiting two newly disclosed security flaws in Fortinet FortiGate devices. These vulnerabilities, identified as CVE-2025-59718 and CVE-2025-59719, were disclosed less than a week ago and have already been exploited, posing a serious threat to organizations using FortiGate appliances.

Malicious Activity Observed

Cybersecurity firm Arctic Wolf reported active intrusions involving malicious single sign-on (SSO) logins on FortiGate appliances on December 12, 2025. The attacks exploit the authentication bypasses in the FortiGate devices, allowing unauthenticated bypass of SSO login authentication via crafted SAML messages.

Impact on North East Region and India

Given the widespread use of Fortinet products in India, including the North East region, these vulnerabilities pose a significant risk. Organizations in the region must take immediate action to protect their networks and data.

Attacker Tactics and Mitigation Strategies

Arctic Wolf Labs observed that IP addresses associated with a limited set of hosting providers were used to carry out malicious SSO logins against the "admin" account. Following the logins, the attackers have been found to export device configurations via the GUI to the same IP addresses.

Organizations are advised to apply the patches as soon as possible and limit access to management interfaces of firewalls and VPNs to trusted internal users. As an additional precaution, it's essential to disable FortiCloud SSO until the instances are updated to the latest version.

KEV Catalog and Federal Response

Recognizing the severity of the vulnerabilities, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-59718 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by December 23, 2025.

Conclusion and Future Outlook

The ongoing exploitation of these vulnerabilities underscores the importance of timely patching and robust network security measures. As the investigation into the origin and nature of this threat activity continues, it is crucial for organizations to remain vigilant and proactive in protecting their digital assets.

Copyright Notice: This is an original analytical article independently produced by Connect Quest Artist Editorial Desk. All content is copyright-safe and represents our original analysis and perspective.
Analytical Basis: This article represents independent analysis and may reference publicly available information.
Tags:
#security #analysis #northeast #original