SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

In-the-Wild Exploitation of Fresh Fortinet Flaws Begins

Threat actors are exploiting the two critical authentication bypass vulnerabilities against FortiGate appliances.
Fortinet vulnerability

Threat actors have started exploiting two recent Fortinet vulnerabilities only days after patches were released, Arctic Wolf warns.

The two flaws, tracked as CVE-2025-59718 and CVE-2025-59719 (CVSS score of 9.8), are described as improper verification of cryptographic signature issues impacting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.

Fortinet rolled out fixes for the two bugs on December 9, warning that they can be exploited via crafted SAML response messages to bypass the FortiCloud SSO login authentication.

While disabled in default factory settings, SSO login authentication is enabled when an administrator registers a new device to FortiCare, unless they specifically disable the feature from the registration page.

Arctic Wolf says it observed threat actors exploiting the critical-severity authentication bypass defects starting December 12, only three days after patches were released.

As part of the observed intrusions, the malicious SSO logins on FortiGate devices typically targeted the admin account and originated from multiple hosting providers.

Advertisement. Scroll to continue reading.

Following successful logins, the threat actors exported device configurations via the GUI interface.

The configuration files, Arctic Wolf points out, contain hashed credentials, and threat actors are known to crack the hashes offline.

Administrators are advised to hunt for potential malicious activity and to reset credentials if any is discovered. Access to the firewall management interface should be restricted to trusted internal networks.

Patches for the exploited Fortinet vulnerabilities were included in FortiOS versions 7.6.4, 7.4.9, 7.2.12, and 7.0.18, FortiProxy versions 7.6.4, 7.4.11, 7.2.15, and 7.0.22, FortiSwitchManager versions 7.2.7 and 7.0.6, and FortiWeb versions 8.0.1, 7.6.5, and 7.4.10.

Fortinet recommends disabling the ‘Allow administrative login using FortiCloud SSO’ feature to prevent exploitation.

Related: Google Sees 5 Chinese Groups Exploiting React2Shell for Malware Delivery

Related: Apple Patches Two Zero-Days Tied to Mysterious Exploited Chrome Flaw

Related: Gladinet CentreStack Flaw Exploited to Hack Organizations

Related: Recent GeoServer Vulnerability Exploited in Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: A Step-by-Step Approach to AI Governance
April 28, 2026

With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment.

Register

Virtual Event: Threat Detection and Incident Response Summit
May 20, 2026

Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization.

Register

People on the Move

Chris Sistrunk has been promoted to Practice Leader for Mandiant's OT Security Consulting.

Nudge Security has appointed Patrick Dillon as its Chief Revenue Officer.

AutoNation has appointed Brian Fricke as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.