Threat actors actively exploit critical Fortinet vulnerabilities CVE-2025-59718 and CVE-2025-59719 to bypass FortiCloud SSO authentication on firewalls and proxies.
These flaws allow unauthenticated attackers to craft malicious SAML messages, gaining admin access on internet-exposed devices.
Fortinet disclosed them on December 9, 2025, with CVSS scores of 9.8, and CISA added CVE-2025-59718 to its Known Exploited Vulnerabilities catalog soon after.
The issues stem from improper cryptographic signature verification (CWE-347) in FortiCloud SSO.
Attackers target products like FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb when SSO is enabled, often automatically during FortiCare registration.
Exploitation creates backdoor accounts like “helpdesk” or logs in as “admin,” followed by config exports containing hashed credentials vulnerable to cracking.
Exploitation In The Wild
Activity surged from December 12, 2025, with Reddit reports and Arctic Wolf detections of identical patterns on FortiGate 7.4.9 devices.
Attackers from specific IPs performed SSO logins and downloaded configs. Over 25,000 devices were exposed online with SSO active.
| Product | Affected Versions | Fixed Versions |
|---|---|---|
| FortiOS 7.6 | 7.6.0–7.6.3 | 7.6.4+ |
| FortiOS 7.4 | 7.4.0–7.4.8 | 7.4.9+ |
| FortiProxy 7.4 | 7.4.0–7.4.10 | 7.4.11+ |
| FortiWeb 7.6 | 7.6.0–7.6.4 | 7.6.5+ |
FortiOS 6.4, FortiWeb 7.0/7.2 unaffected.
Mitigation Steps
Disable FortiCloud SSO immediately via CLI:
config system global
set admin-forticloud-sso-login disable
end. Patch urgently, audit logs for suspicious admins, rotate credentials, and restrict management to trusted networks. Assume compromise if IOCs match
This campaign aligns with broader trends targeting network appliances, following similar Fortinet exploits like CVE-2024-21762.
Arctic Wolf notes repeated hits on exposed firewalls via search engines, urging SIEM integration for real-time admin change alerts.
As of January 2026, exploitation persists despite patches, with threat actors refining tactics against upgraded systems.
Enterprises face heightened risks from weak SSO configs, emphasizing least-privilege access and zero-trust segmentation.
Fortinet continues forensics led by PSIRT’s Carl Windsor, promising enhanced logging in future releases. Monitor CISA KEV updates and vendor advisories closely.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.