Changeflow GovPing Data Privacy & Cybersecurity Threat Actors Use FortiCloud SSO Bypass to Coll...
Priority review Guidance Added Final

Threat Actors Use FortiCloud SSO Bypass to Collect LDAP Connection Passwords

Favicon for www.cert.at Austria SCERT (EN)
Published
Detected
Email

Summary

CERT.at published technical findings on an active threat campaign targeting Fortinet FortiGate appliances using CVE-2025-59718/CVE-2025-59719 SSO bypass vulnerabilities. The agency obtained an attacker toolkit revealing post-exploitation activities including LDAP/AD configuration extraction and password collection. Attackers possess the default FortiGate configuration encryption key, which remains static across all instances. CERT.at confirmed the exploit works against unpatched FortiGate 7.6.5 devices and recommends immediate activation of 'private data encryption' feature to replace the default key.

Why this matters

Organizations running FortiGate appliances with LDAP or certificate-based authentication should treat this as an active exploitation scenario requiring immediate action. Even if patches are applied, the default static encryption key means prior configuration dumps could still yield usable LDAP passwords—rotation of affected credentials is the operative control. Organizations uncertain whether their configuration was accessed should assume compromise of LDAP bind credentials and initiate rotation immediately.

AI-drafted from the source document, validated against GovPing's analyst note standards . For the primary regulatory language, read the source document .
Published by CERT.at on cert.at . Detected, standardized, and enriched by GovPing. Review our methodology and editorial standards .

About this source

GovPing monitors Austria SCERT (EN) for new data privacy & cybersecurity regulatory changes. Every update since tracking began is archived, classified, and available as free RSS or email alerts — 3 changes logged to date.

View original document View source feed page

What changed

CERT.at released technical analysis of an attacker toolkit exploiting CVE-2025-59718/CVE-2025-59719 in Fortinet FortiGate appliances. The exploit bypasses FortiCloud SSO to extract LDAP/AD connection credentials stored in device configurations. The default static encryption key used across all FortiGate instances allows attackers to decrypt these credentials after obtaining a configuration dump. Organizations using FortiGate with LDAP regular bind mode are directly affected, as the collected credentials could enable further network compromise.

Affected parties should immediately audit LDAP configuration exposure, activate private data encryption to replace the default key, and restrict management interface accessibility. Patching alone is insufficient—credential rotation is recommended even on patched devices if a configuration leak is suspected. The mitigation step 'buys time' for credential rotation following any potential configuration exposure.

What to do next

  1. Activate the "private data encryption" feature in FortiGate devices
  2. Keep management interfaces not accessible from the public internet
  3. Set a local-in policy to restrict access on the administrative interface

Archived snapshot

Apr 23, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

27.01.2026 17:10

Threat actors use FortiCloud SSO bypass to collect LDAP connection passwords

CERT.at gained access to a toolkit of an unknown threat actor targeting FortiCloud SSO bypass in Fortinet appliances (CVE-2025-59718/CVE-2025-59719). We are releasing under TLP:CLEAR key findings about likely post-exploitation goals of the attacker.

The obtained exploit works only for the original vulnerability [1] and is not effective against patched devices. It is, however, known that the flaw still exists and affects all SSO setups in Fortinet appliances [2]. The exploit behavior is consistent with our previous publication.

The exploit is prepared to work against FortiGate instances, and in the toolkit, we have found two scripts for the post-exploitation analysis of the collected configuration dumps. The attacker:

  • looks for the LDAP/AD configuration settings,
  • is in the possession of the default FortiGate configuration encryption key. The “regular bind“ mode of LDAP/AD connection with FortiGate requires providing user credentials for the appliance [3], which FortiGate uses to establish a connection with the LDAP server. They are encrypted in the configuration, but by default, the encryption key is static and the same on all instances. We were able to confirm that the key included in the attacker toolkit works on the fresh FortiGate 7.6.5 VM.

Note: in our tests, we also confirmed that the normal local user passwords are NOT possible to retrieve back. Our understanding is that only the data that is necessary to become back (LDAP connection password for regular bind, private keys for certificates, etc.) could be decrypted.

Preventive recommendations

We strongly recommend activating the “private data encryption” feature [4] in FortiGate devices, which replaces the default encryption key. This step is also officially recommended by Fortinet as a hardening measure [5]. The encryption key has to be the same in all instances in an HA cluster. Using a custom encryption key helps “buying time” for credential rotation after a configuration leak.

As always, CERT.at strongly recommends keeping management interfaces not accessible from the public internet. In the last blog post, the Fortinet PSIRT recommends setting a local-in policy to restrict access on the administrative interface [6].

References

[1] https://fortiguard.fortinet.com/psirt/FG-IR-25-647
[2] https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios
[3] https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/102264/configuring-an-ldap-server
[4] https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-private-data-encryption-feature-on-a/ta-p/339071 [5] https://docs.fortinet.com/document/fortigate/7.6.0/best-practices/555436/hardening#SecurePassStorage
[6] https://docs.fortinet.com/document/fortigate/7.6.4/administration-guide/363127/local-in-policy

Written by: Kamil Mankowski

Related changes

Favicon for www.cert.at FortiCloud SSO Bypass CVE-2025-59718 Exploitation Analysis
Priority review Apr 23, 2026 Austria SCERT (EN) Data Privacy & Cybersecurity
Favicon for www.cert.at PyPI Package Removal and uv.lock Ghost Installation Vulnerability
Routine Apr 23, 2026 Austria SCERT (EN) Data Privacy & Cybersecurity
Favicon for www.konsument.at VKI Austria Warns of Cleverbuy Payment Delays and Complaint Pattern
Priority review Apr 23, 2026 Austria Consumer Information Authority VKI Consumer Protection

Get daily alerts for Austria SCERT (EN)

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.cert.at
Austria SCERT (EN) cert.at/en/news
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from CERT.at.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
CERT.at
Published
January 27th, 2026
Instrument
Guidance
Branch
Executive
Legal weight
Non-binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Technology companies Government agencies Employers
Industry sector
3341 Computer & Electronics Manufacturing
Activity scope
Network device security Credential management Vulnerability mitigation
Geographic scope
AT AT

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Data Privacy Network Security

Browse Categories

Agriculture & Food Safety 79 AI Regulation 3 Banking & Finance 475 Consumer Protection 118 Courts & Legal 443 Data Privacy & Cybersecurity 134 Defense & National Security 52 Education 63 Energy 113 Environment 162 Gaming 2 Government & Legislation 471 Healthcare 15 Healthcare & Life Sciences 373 Immigration 11 Insurance 86 Labor & Employment 182 Pharma & Drug Safety 21 Professional Licensing 6 Real Estate & Housing 73 Securities & Markets 169 Tax 104 Telecom & Technology 49 Trade & Sanctions 158 Transportation 115

Get alerts for this source

We'll email you when Austria SCERT (EN) publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!