The Shadowserver Foundation has identified over 25,000 internet-facing Fortinet devices globally with FortiCloud Single Sign-On (SSO) functionality enabled, raising concerns about potential exposure to critical authentication bypass vulnerabilities.
The non-profit security organization recently added fingerprinting capabilities for these systems to its Device Identification reporting service, alerting network administrators to verify their security posture immediately.
Mass Exposure Discovered Through Global Scanning
Shadowserver’s latest scan results reveal at least 25,000 IP addresses worldwide hosting Fortinet devices configured with FortiCloud SSO enabled.
While not all exposed systems are necessarily vulnerable, the discovery highlights a significant attack surface that threat actors could exploit.
Organizations receiving exposure notifications from Shadowserver are urged to verify their patch status and implement security updates without delay.
The alert references explicitly CVE-2025-59718 and CVE-2025-59719, two critical authentication bypass vulnerabilities affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager products.
These flaws carry a CVSS v3 score of 9.1 and allow unauthenticated remote attackers to bypass FortiCloud SSO authentication through specially crafted SAML messages, potentially granting administrative access without credentials.
Security researchers emphasize that exposed FortiCloud SSO implementations create opportunities for unauthorized access to enterprise network infrastructure.
Attackers exploiting these vulnerabilities could gain complete administrative control over affected devices, leading to network compromise, data exfiltration, or deployment of additional malware.
Fortinet customers should immediately verify whether their devices appear in Shadowserver’s reporting and confirm patch status.
The vendor has released security updates for affected product versions, and organizations should prioritize upgrading to patched releases.
As a temporary mitigation, administrators can turn off FortiCloud SSO functionality in system settings or via CLI commands until patches are deployed.
The Shadowserver Foundation provides free security scanning reports to network owners worldwide, helping identify vulnerable or misconfigured systems before attackers discover them.
Organizations that have not registered for these notifications should consider doing so to receive timely alerts about exposed infrastructure.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.