Vulnerabilities

In-the-Wild Exploitation of Fresh Fortinet Flaws Begins

Threat actors are exploiting the two critical authentication bypass vulnerabilities against FortiGate appliances.

Published

Fortinet vulnerability

Threat actors have started exploiting two recent Fortinet vulnerabilities only days after patches were released, Arctic Wolf warns.

The two flaws, tracked as CVE-2025-59718 and CVE-2025-59719 (CVSS score of 9.8), are described as improper verification of cryptographic signature issues impacting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.

Fortinet rolled out fixes for the two bugs on December 9, warning that they can be exploited via crafted SAML response messages to bypass the FortiCloud SSO login authentication.

While disabled in default factory settings, SSO login authentication is enabled when an administrator registers a new device to FortiCare, unless they specifically disable the feature from the registration page.

Arctic Wolf says it observed threat actors exploiting the critical-severity authentication bypass defects starting December 12, only three days after patches were released.

As part of the observed intrusions, the malicious SSO logins on FortiGate devices typically targeted the admin account and originated from multiple hosting providers.

Advertisement. Scroll to continue reading.

Following successful logins, the threat actors exported device configurations via the GUI interface.

The configuration files, Arctic Wolf points out, contain hashed credentials, and threat actors are known to crack the hashes offline.

Administrators are advised to hunt for potential malicious activity and to reset credentials if any is discovered. Access to the firewall management interface should be restricted to trusted internal networks.

Patches for the exploited Fortinet vulnerabilities were included in FortiOS versions 7.6.4, 7.4.9, 7.2.12, and 7.0.18, FortiProxy versions 7.6.4, 7.4.11, 7.2.15, and 7.0.22, FortiSwitchManager versions 7.2.7 and 7.0.6, and FortiWeb versions 8.0.1, 7.6.5, and 7.4.10.

Fortinet recommends disabling the ‘Allow administrative login using FortiCloud SSO’ feature to prevent exploitation.

Related: Google Sees 5 Chinese Groups Exploiting React2Shell for Malware Delivery

Related: Apple Patches Two Zero-Days Tied to Mysterious Exploited Chrome Flaw

Related: Gladinet CentreStack Flaw Exploited to Hack Organizations

Related: Recent GeoServer Vulnerability Exploited in Attacks

In this article:, , ,

Related Content

Fortinet patches

Malware & Threats

FortiBleed: 86,000 Fortinet Device Credentials Compromised

The large-scale credential theft campaign hit roughly half of the internet-accessible Fortinet firewalls and VPNs.

2 hours ago

Vulnerabilities

Splunk Enterprise Vulnerability Exploited in Attacks Days After Disclosure

CISA has given federal agencies only three days to patch CVE-2026-20253, which can be exploited for unauthenticated remote code execution.

9 hours ago

Vulnerabilities

Atlassian, Splunk Patch Critical Vulnerabilities

Splunk patched an OS command injection in AI Toolkit, while Atlassian fixed dozens of flaws in third-party dependencies.

1 day ago

Network Security

Critical Command Execution Vulnerability Patched in Cisco ISE

Insufficient validation of user input allows an attacker to gain access to the underlying OS and elevate their privileges to root.

1 day ago

Vulnerabilities

F5 Patches Critical, High-Severity NGINX Vulnerabilities

Critical flaws in NGINX could allow remote, unauthenticated attackers to cause a restart and potentially execute arbitrary code.

1 day ago

ICS/OT

Rockwell Automation Patches Vulnerabilities in ICS Controllers and Software

The industrial automation giant has fixed security holes in Logix, CompactLogix, Flex, RSLinx, and FactoryTalk products.

2 days ago

Vulnerabilities

Oracle’s Second Monthly Security Updates Deliver 245 Patches 

Oracle has released its June 2026 Critical Security Patch Update to fix vulnerabilities in Communications, EBS, Enterprise Manager and other products.

2 days ago

Vulnerabilities

Chrome and Firefox Updated to Patch Critical, High-Severity Vulnerabilities

The browser updates address multiple memory safety bugs that could potentially lead to remote code execution.

2 days ago

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version