Fortinet, a leading vendor of network security appliances and firewalls, has issued an urgent warning that threat actors are actively exploiting serious vulnerabilities in multiple Fortinet products — including FortiOS SSL VPN and FortiGate appliances under SAML Single Sign-On (SSO) bypass attacks. The advisory highlights how cybercriminals are rapidly weaponizing both legacy and recently patched flaws, gaining unauthorized access and bypassing critical authentication protections just days after disclosure. Security teams are urged to patch immediately, adjust configurations, and review access controls to mitigate this real-world threat. Fortinet’s warning serves as a stark reminder that even well-established security infrastructure can become a target — especially when attackers exploit misconfigurations, authentication weaknesses, or vulnerabilities lingering from older software versions. What Fortinet Warned About In its December 2025 advisory, Fortinet confirmed that multiple products are under active exploitation due to critical security issues — including one that dates back over five years. The key flaw highlighted was CVE-2020-12812, an improper authentication vulnerability affecting FortiOS SSL VPN, which allows unauthorized login without triggering two-factor authentication (2FA) under specific configuration conditions. This vulnerability unfolds when: Local user entries with 2FA are configured to authenticate using a remote authentication method, such as LDAP, And Federated identity systems (e.g., LDAP groups with two-factor users) are used in conjunction with FortiOS policies. In such instances, if a username is entered with a variation in case sensitivity (e.g., “JSmith” vs “jsmith”), FortiOS may skip the local 2FA prompt entirely and authenticate against the remote directory instead — bypassing the second authentication factor and granting access based solely on correct LDAP credentials. In short, the flaw enables credential-only login where two-factor authentication was expected — allowing attackers to circumvent Fortinet’s security controls. The SAML SSO Bypass Exploits: A Fresh Threat In addition to the older SSL VPN issue, Fortinet also reported ongoing exploitation of critical authentication bypass vulnerabilities tracked as CVE-2025-59718 and CVE-2025-59719, which affect several Fortinet product lines when FortiCloud SSO (Single Sign-On) is enabled. These flaws, both with CVSS scores of 9.8 (Critical), allow attackers to forge malicious Security Assertion Markup Language (SAML) messages, tricking the system into granting unauthenticated access to administrative interfaces on Fortinet devices, including: FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager appliances. Even though FortiCloud SSO is disabled by default, security researchers and incident responders have observed that it may be automatically enabled during initial device registration with Fortinet’s service unless administrators explicitly disable it — inadvertently exposing units to attack. Arctic Wolf and other monitoring firms reported active exploitation attempts as early as December 12, 2025 — less than one week after Fortinet publicly documented the vulnerabilities. Attackers used crafted SAML payloads to bypass login screens and export system configuration data that may contain sensitive internal settings. Scope and Impact of the Exploitation The active attacks exploit authentication bypasses in Fortinet products used by thousands of organizations globally — including enterprise networks, VPN concentrators, and perimeter firewalls. The implications of these exploits are severe: Unauthorized Administrative Access If exploited, attackers can take control of firewall or VPN management interfaces, granting them administrative privileges. This could allow them to: Modify firewall rules Disable security controls Pivot deeper into internal networks Extract sensitive configuration files and hashed credentials Even though some stored credentials may be hashed, offline cracking remains feasible — especially if weak or reused passwords are present — further elevating the risk. Legacy Vulnerabilities Still Bite The SSL VPN weakness (CVE-2020-12812), first disclosed in 2020, shows how long-standing bugs can resurface in the wild when threat actors discover overlooked configurations, gain access to outdated systems, or accumulate enough contextual knowledge to weaponize flaws in new ways. This underscores a critical security lesson: legacy vulnerabilities can have a long tail of risk unless fully mitigated and monitored. Affected Products and Versions Fortinet’s warning and associated threat intelligence confirm that multiple products and versions are implicated. These include: FortiOS SSL VPN (affected versions prior to patched releases) in conjunction with LDAP authentication and two-factor configurations. FortiOS, FortiWeb, FortiProxy, FortiSwitchManager when FortiCloud SSO is enabled, exposed to SAML bypass attacks. ⚠ Note: While FortiCloud SSO is disabled by default, many devices may have inadvertently enabled it during initial setup or through FortiCare service registration — expanding the attack surface. Advisory and Response from Fortinet Fortinet has provided updated guidance to customers with the following core recommendations: ✔ Patch Immediately Customers are strongly urged to update affected systems to the latest software releases that correct both the legacy SSL VPN misconfiguration behavior and the modern authentication bypass flaws. ✔ Adjust Username-Sensitivity Settings For SSL VPN configurations vulnerable to CVE-2020-12812, administrators can mitigate the authentication bypass by enforcing consistent username case matching. Fortinet advises disabling username case sensitivity (set username-case-sensitivity disable) to ensure consistency between local and LDAP stores. ✔ Disable FortiCloud SSO When Not Needed Until patched, disabling FortiCloud SSO — particularly on devices where it was enabled by default during onboarding — reduces the risk of unauthorized access via SAML bypasses. ✔ Monitor for Indicators of Compromise Fortinet also recommends that organizations review management and authentication logs for signs of unusual login attempts or unauthorized admin access, especially involving SAML or LDAP authentication paths. Why Immediate Action Is Critical The combination of active exploitation, high severity scores, and versatile attack paths makes these vulnerabilities dangerous for many environments: Administrators could be compromised without triggering alerts: Attackers bypassing 2FA or SAML protections may leave little trace in conventional logs unless monitored expressly for deceptive authentication attempts. External attackers could gain internal access: If firewalls or VPN gateways are exposed to the internet, threat actors can exploit public access interfaces to gain privileged system control. Configuration and topological information may leak: Exported firewall configurations can reveal network architecture and policy rules, helping attackers plan follow-on intrusion phases. Stored credentials, once harvested, may be cracked offline: Hashes captured in configuration data can be attempted in offline cracking attacks against weak passwords over time. Broader Trend: Exploitation of Known Vulnerabilities The Fortinet advisory joins a growing list of actively exploited threats reported throughout 2025, where both old and newly disclosed flaws have been weaponized in the wild soon after disclosure. National and vendor-level cyber advisories have highlighted: Multiple Fortinet vulnerabilities added to the Know Exploited Vulnerabilities (KEV) catalog by U.S. CISA, including recent authentications bypasses. Ongoing attacks targeting web application firewalls like FortiWeb and SSL VPN infrastructure. The persistence of exploits for even older vulnerabilities that continue to pose risk for unpatched systems. This trend underscores the importance of a rapid patch management strategy, proactive vulnerability scanning, and comprehensive logging to detect misuse early. Expert Recommendations for Organizations To protect networks and infrastructure against active Fortinet exploits, security professionals recommend the following best practices: Ensure Timely Patch Deployment Apply all relevant Fortinet patches across FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager as soon as possible to eliminate known exploit entry points. Harden Authentication Policies Review and enforce strict authentication configurations, disable unneeded SSO features, and enforce consistent username rules. Review Exposure of Management Interfaces Limit public internet exposure of management UIs and VPN endpoints, using firewalls, access control lists (ACLs), and zero trust perimeter defenses where feasible. Monitor Authentication Logs Deploy SIEM and log analytics tools to identify anomalous login attempts, unexpected user escalations, or unexplained SAML usage patterns. Incident Response Preparedness Prepare incident response playbooks to quickly isolate affected devices, preserve forensic evidence, and reset credentials if compromise is suspected. Final Thoughts: The Cost of Complacency The Fortinet active exploitation warning illustrates that cyber threats remain agile, capable of exploiting both legacy configuration mistakes and newly discovered authentication weaknesses in widely deployed security infrastructure. Security teams must adopt a defense-in-depth strategy — combining patch management, secure configurations, continuous monitoring, and rapid incident response — to stay ahead of adversaries who exploit even seemingly minor oversights. As this trend continues into 2026, organizations reliant on firewall, VPN, and web application firewall (WAF) platforms must treat vulnerability management as an ongoing imperative — because attackers clearly are. Post navigation CISA Flags Actively Exploited Digiever NVR Vulnerability Enabling Remote Code Execution — What You Need to Know LastPass 2022 Data Breach Fuels Years-Long Crypto Theft Campaign, Blockchain Forensics Reveals
