Over 25,000 Fortinet devices worldwide with FortiCloud Single Sign-On (SSO) enabled, leaving them potentially exposed to remote attacks.
The finding stems from enhanced device fingerprinting in a new Device Identification report, which scanned global IP addresses and flagged these systems as openly advertising their SSO configuration.
FortiCloud SSO streamlines authentication for Fortinet’s ecosystem, including firewalls, switches, and access points like the FortiGate series. While convenient for enterprises, exposing this feature publicly can tip off attackers to probe for weaknesses.
The Shadowserver Foundation detected at least 25,000 unique IPs across regions, including North America, Europe, and Asia-Pacific. “This isn’t just noise it’s a clear signal for exposed management interfaces,” the team noted in their advisory.
The exposure raises alarms amid recent Fortinet vulnerabilities. Notably, CVE-2025-59718 and CVE-2025-59719 both rated high severity by CVSS, impacting FortiCloud-integrated systems.
CVE-2025-59718 (CVSS 8.2) involves improper access controls in SSO endpoints, allowing remote unauthenticated attackers to bypass authentication under specific conditions. CVE-2025-59719 (CVSS 7.5) exploits weak session handling, enabling account takeover if combined with phishing or brute-force attempts.
Importantly, not every exposed device is vulnerable. Patching status, configuration nuances, and network segmentation play key roles. “Presence on our scan doesn’t confirm exploitation risk,” the researchers cautioned. “If you receive one of our exposure reports, immediately verify your FortiCloud SSO setup and apply patches.”
Fortinet released fixes in its December 2025 firmware updates (e.g., FortiOS 7.4.4 and 7.2.9), urging admins to disable public SSO exposure where possible.
| Product | Affected Versions | Fixed Version |
|---|---|---|
| FortiOS 7.6 | 7.6.0 – 7.6.3 | 7.6.4+ |
| FortiOS 7.4 | 7.4.0 – 7.4.8 | 7.4.9+ |
| FortiOS 7.2 | 7.2.0 – 7.2.11 | 7.2.12+ |
| FortiOS 7.0 | 7.0.0 – 7.0.17 | 7.0.18+ |
| FortiProxy 7.6 | 7.6.0 – 7.6.3 | 7.6.4+ |
| FortiProxy 7.4 | 7.4.0 – 7.4.10 | 7.4.11+ |
| FortiProxy 7.2 | 7.2.0 – 7.2.14 | 7.2.15+ |
| FortiProxy 7.0 | 7.0.0 – 7.0.21 | 7.0.22+ |
| FortiSwitchManager 7.2 | 7.2.0 – 7.2.6 | 7.2.7+ |
| FortiSwitchManager 7.0 | 7.0.0 – 7.0.5 | 7.0.6+ |
| FortiWeb 8.0 | 8.0.0 | 8.0.1+ |
| FortiWeb 7.6 | 7.6.0 – 7.6.4 | 7.6.5+ |
| FortiWeb 7.4 | 7.4.0 – 7.4.9 | 7.4.10+ |
Best practices include restricting FortiCloud access to VPN-only or private IPs, enabling multi-factor authentication (MFA), and monitoring logs for anomalous SSO traffic.
Organizations should prioritize scans using tools like Shodan or the researchers’ service. Fortinet customers can query their support portal for tailored assessments. As cloud-managed security blurs lines between on-prem and remote access, vigilance remains critical to thwart remote threats.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
