Security teams are being urged to act immediately following confirmation that two newly disclosed Fortinet vulnerabilities are being actively exploited in the wild, according to a critical emergent threat alert issued by Rapid7.
The vulnerabilities, tracked as CVE-2025-59718 and CVE-2025-59719, carry critical CVSSv3 severity ratings and allow unauthenticated remote attackers to bypass authentication through the use of a crafted SAML message. Successful exploitation can grant attackers full administrative access to affected devices.
CVE-2025-59718 impacts FortiOS, FortiProxy and FortiSwitchManager, while CVE-2025-59719 affects FortiWeb. Rapid7 notes that both vulnerabilities stem from the same underlying flaw, differing only by product scope.
Although the affected FortiCloud Single Sign-On (SSO) administrative login feature is disabled by default in factory settings, it is automatically enabled when a device is registered to FortiCare via the graphical user interface, unless administrators explicitly opt out. This behaviour significantly increases the attack surface across registered deployments.
Threat intelligence firm Arctic Wolf has confirmed active exploitation, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-59718 to its Known Exploited Vulnerabilities (KEV) catalogue on 16 December, signalling a heightened risk to organisations using affected products.
Observed attack activity shows threat actors authenticating as the administrator account and immediately downloading system configuration files. These files can contain hashed credentials and other sensitive information, meaning organisations that have been compromised should assume credential exposure and conduct full incident response procedures.
Fortinet has released patches addressing the vulnerabilities. In the interim, Rapid7 advises organisations to disable FortiCloud SSO administrative login where possible while remediation efforts are underway.
Security teams are encouraged to review device registration settings, assess exposure, and prioritise patch deployment, particularly in environments where Fortinet appliances are internet-facing or used in critical network infrastructure.