Criminals are exploiting two critical vulnerabilities within FortiCloud to break into devices and steal configuration data.
Two previously discovered vulnerabilities within the Fortinet ecosystem are being actively exploited. These are CVE-2025-59718 and CVE-2025-59719 Both bugs relate to FortiCloud SSO (single sign-on) and an incorrect way in which cryptographic signatures are handled in SAML messages. They affect FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb.
Arctic Wolf is again warning about active exploitation of the vulnerabilities. Cybercriminals are said to have shown renewed interest in it since January 15. The attack method is identical to campaigns that took place in December. This means that many Fortinet customers have not yet patched their systems.
Preparation for further attacks
When FortiCloud SSO is enabled, criminals can exploit the bugs. SSO is not enabled by default, but that changes when administrators add their Fortinet devices via the FortiCare user interface.
Security researchers at Arctic Wolf already discovered in December how hackers are abusing the bugs to gain access to administrator accounts within Fortinet environments. Once they have obtained administrator access, they download system configuration files via the web management interface. A month later, the security company sees the same thing happening.
read also
FortiWeb Plagued by Vulnerabilities
These files are valuable for potential follow-up attacks. They contain the layout of the network, information about solutions connected to the internet, firewall policies and even (hashed) passwords. With this information, hackers can get to work to break deeper into corporate networks in a targeted manner to cause more damage.
Update already available
Fortinet already warned customers about the bugs on December 9, and made the necessary updates available. As is often the case, the hackers are therefore exploiting bugs for which a patch already exists, which in many cases has not yet been implemented by administrators.
Now that attackers are effectively exploiting the vulnerabilities, patching is more important than ever. The following versions of Fortinet software are secure, older versions are not:
- FortiOS: 7.6.4+, 7.4.9+, 7.2.12+ and 7.0.18+
- FortiProxy: 7.6.4+, 7.4.11+, 7.2.15+ and 7.0.22+
- FortiSwitchManager: 7.2.7+ and 7.0.6+
- FortiWeb: 8.0.1+, 7.6.5+ and 7.4.10+
If updating is not immediately possible for some reason, administrators should temporarily disable the login function of FortiCloud. This can be done via System and Settings where you should set Allow administrative login using FortiCloud SSO to Off. Patching your firewalls offers the best security in any scenario.
This article originally appeared on December 17, 2025 and has been updated with the latest information.