SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

In-the-Wild Exploitation of Fresh Fortinet Flaws Begins

Threat actors are exploiting the two critical authentication bypass vulnerabilities against FortiGate appliances.
Fortinet vulnerability

Threat actors have started exploiting two recent Fortinet vulnerabilities only days after patches were released, Arctic Wolf warns.

The two flaws, tracked as CVE-2025-59718 and CVE-2025-59719 (CVSS score of 9.8), are described as improper verification of cryptographic signature issues impacting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.

Fortinet rolled out fixes for the two bugs on December 9, warning that they can be exploited via crafted SAML response messages to bypass the FortiCloud SSO login authentication.

While disabled in default factory settings, SSO login authentication is enabled when an administrator registers a new device to FortiCare, unless they specifically disable the feature from the registration page.

Arctic Wolf says it observed threat actors exploiting the critical-severity authentication bypass defects starting December 12, only three days after patches were released.

As part of the observed intrusions, the malicious SSO logins on FortiGate devices typically targeted the admin account and originated from multiple hosting providers.

Advertisement. Scroll to continue reading.

Following successful logins, the threat actors exported device configurations via the GUI interface.

The configuration files, Arctic Wolf points out, contain hashed credentials, and threat actors are known to crack the hashes offline.

Administrators are advised to hunt for potential malicious activity and to reset credentials if any is discovered. Access to the firewall management interface should be restricted to trusted internal networks.

Patches for the exploited Fortinet vulnerabilities were included in FortiOS versions 7.6.4, 7.4.9, 7.2.12, and 7.0.18, FortiProxy versions 7.6.4, 7.4.11, 7.2.15, and 7.0.22, FortiSwitchManager versions 7.2.7 and 7.0.6, and FortiWeb versions 8.0.1, 7.6.5, and 7.4.10.

Fortinet recommends disabling the ‘Allow administrative login using FortiCloud SSO’ feature to prevent exploitation.

Related: Google Sees 5 Chinese Groups Exploiting React2Shell for Malware Delivery

Related: Apple Patches Two Zero-Days Tied to Mysterious Exploited Chrome Flaw

Related: Gladinet CentreStack Flaw Exploited to Hack Organizations

Related: Recent GeoServer Vulnerability Exploited in Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: How Modern Breaches Bypass MFA and Evade Detection
June 17, 2026

Today’s attackers are no longer breaking in — they’re logging in. Join this live webinar as we break down the modern identity attack chain and examine how recent breaches exploited weaknesses in authentication, identity verification, and access management processes.

Register

Webinar: Modern Exposure Validation in the AI Era
June 24, 2026

AI has accelerated both sides of the fight. Adversaries are weaponizing vulnerabilities faster, while defenders are racing to ship detections and configurations. Join this live webinar as we explore how to prove your controls actually hold against new threats, map your security maturity, and unite breach simulation with automated pentesting into a single, coordinated program.

Register

People on the Move

SolarWinds has appointed Justin Henkel as Chief Information Security Officer.

J. Paul Haynes has joined Cinchy as Chief Executive Officer.

Hatem Naguib has become Chief Executive Officer at Sysdig.

More People On The Move

Expert Insights

No Exploits Required

Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures.

Popular Topics

Security Community

Stay Intouch

About SecurityWeek

News Tips

Got a confidential news tip? We want to hear from you.

Submit Tip

Advertising

Reach a large audience of enterprise cybersecurity professionals

Contact Us

Daily Briefing Newsletter

Subscribe to the SecurityWeek Daily Briefing and get the latest content delivered to your inbox.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.