Critical Fortinet Flaws Under Active Attack
Summary
CISA has added CVE-2025-59718 to its Known Exploited Vulnerabilities (KEV) list after evidence of active exploitation. Fortinet disclosed two critical authentication-bypass flaws (CVE-2025-59718 and CVE-2025-59719; CVSS 9.1) affecting FortiOS, FortiWeb, FortiProxy and FortiSwitchManager. The vulnerabilities let unauthenticated actors bypass SSO authentication via specially crafted SAML messages when FortiCloud SSO is enabled, potentially granting admin control of affected devices. Researchers observed attacks beginning around 12 December that targeted admin accounts and exported device configurations — including hashed credentials — to attacker-controlled hosts.
Key Points
- CISA added CVE-2025-59718 to its KEV catalogue due to active exploitation.
- The flaws (CVE-2025-59718 and CVE-2025-59719) enable SSO authentication bypass via malformed SAML messages when FortiCloud SSO is enabled.
- Attack activity was observed from 12 December, quickly following Fortinet’s 9 December disclosure.
- Intrusions targeted admin accounts and exfiltrated device configuration files containing hashed credentials and topology details.
- Fortinet has released patches (FortiOS 7.6.4, 7.4.9, 7.2.12, 7.0.18+ and fixes for FortiProxy, FortiSwitchManager and FortiWeb). Some older versions are unaffected.
- Immediate mitigations: disable FortiCloud SSO, restrict or disable HTTP/HTTPS admin access, limit admin access to trusted IPs and assume credentials may be compromised (rotate/reset as needed).
- Organisations with exposed management interfaces face elevated risk; attackers can create rogue accounts, modify policies and establish VPN tunnels for lateral movement.
Context and relevance
Management interfaces on perimeter devices are high-value targets because they control firewall policies, VPN access and traffic routing. These Fortinet flaws follow a common pattern: SSO/identity-related cryptographic verification errors that allow threat actors to escalate to full administrative control without valid credentials. The rapid transition from disclosure to observed exploitation underscores how quickly threat actors weaponise such issues. For security teams, this ties into broader trends of targeting network-management planes and leveraging exposed internet-facing admin interfaces for large-scale compromise.
Why should I read this?
Short answer: because if you run Fortinet kit, this could let someone admin your whole network and nick your configs. Patches exist, but attackers moved fast — so check your devices now, disable FortiCloud SSO if you can, lock down admin access, and assume any leaked creds might be cracked. In other words: don’t wait for a breach to find out.