Hackers actively exploit vulnerability in Fortinet beyond known vulnerability

Criminals are exploiting two critical vulnerabilities within FortiCloud to break into devices and steal configuration data.

Two previously discovered vulnerabilities within the Fortinet ecosystem are being actively exploited. These are CVE-2025-59718 and CVE-2025-59719. Both bugs relate to FortiCloud SSO (single sign-on) and an incorrect way of handling cryptographic signatures in SAML messages. They affect FortiOS, FortiProxy, FortiSwitchManager and FortiWeb.

Preparation for further attacks

When FortiCloud SSO is enabled, criminals can exploit the bugs. SSO is not enabled by default, but that changes when administrators add their Fortinet devices via the FortiCare user interface.

Security researchers at Arctic Wolf discovered how hackers are exploiting the bugs to gain access to administrator accounts within Fortinet environments. Once they have gained administrator access, they download system configuration files via the web management interface.

These files are valuable for potential follow-up attacks. They contain the layout of the network, information about solutions connected to the internet, firewall policies and even (hashed) passwords. With this information, hackers can get to work to break deeper into corporate networks in a targeted manner to cause more damage.

Update already available

Fortinet already warned customers about the bugs on December 9, and made the necessary updates available. As is often the case, the hackers are therefore exploiting bugs for which a patch already exists, which in many cases has not yet been implemented by administrators.

Now that attackers are effectively exploiting the vulnerabilities, patching is more important than ever. The following versions of Fortinet software are secure, older versions are not:

• FortiOS: 7.6.4+, 7.4.9+, 7.2.12+ and 7.0.18+
• FortiProxy: 7.6.4+, 7.4.11+, 7.2.15+ and 7.0.22+
• FortiSwitchManager: 7.2.7+ and 7.0.6+
• FortiWeb: 8.0.1+, 7.6.5+ and 7.4.10+

If updating is not possible for one reason or another, administrators must temporarily disable the login function of FortiCloud. This can be done via System and Settings where you Allow administrative login using FortiCloud SSO to Off needs to be set.