Two Fortinet vulnerabilities are being exploited in the wild – patch now

Security researchers have urged enterprises to take immediate action to mitigate two recently disclosed Fortinet vulnerabilities.

The two flaws - CVE-2025-59718 and CVE-2025-59719 - carry a critical CVSSv3 score and are being actively exploited in the wild. They were initially discovered and reported by Yonghui Han and Theo Leleu of the Fortinet Product Security team.

They allow an unauthenticated remote attacker to bypass authentication using a crafted Security Assertion Markup Language (SAML) message, ultimately gaining administrative access to the device.

According to Rapid7, the two CVEs currently appear to have the same root cause, but are set apart by the products affected: CVE-2025-59719 specifically affects FortiWeb, while CVE-2025-59718 affects FortiOS, FortiProxy, and FortiSwitchManager.

While the vulnerable FortiCloud SSO feature is disabled by default in factory settings, it's automatically enabled when a device is registered to FortiCare via the graphical user interface, unless an administrator explicitly opts out.

Active exploitation was confirmed by Arctic Wolf earlier this week, with CVE-2025-59718 added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on December 16.

US federal civilian agencies have been ordered to fix the flaw by December 23.

Hackers pounce on Fortinet vulnerabilities

Threat actors have been spotted authenticating as the admin user and immediately downloading the system configuration file, which often contains hashed credentials and other sensitive information.

Arctic Wolf said that the malicious SSO logins on FortiGate devices originated from a handful of hosting providers: The Constant Company, Bl Networks, and Kaopu Cloud Hk. Following malicious SSO logins, it said, configurations were exported to the same IP addresses via the GUI interface. There's no word yet on which group or groups may be behind the attacks.

Rapid7 revealed it has also observed attempts to exploit CVE-2025-59718 against honeypots within its network.

"A proof-of-concept exploit that resembles the observed honeypot requests has been posted to GitHub," the company said. "Rapid7 is in the process of validating these exploits against the confirmed vulnerable targets."

The company said that organizations with indicators of compromise should assume that credentials have been exposed and respond accordingly.

Fortinet patches are available

Earlier this month, Fortinet published an advisory outlining remediation steps for the two vulnerabilities. A vendor patch is available, and organizations can also take immediate defensive action by disabling FortiCloud SSO administrative login while remediation efforts are being put in place.

Organizations where Fortinet appliances are internet-facing or used in critical network infrastructure should move particularly quickly, the company said.

Arctic Wolf recommends affected users should reset firewall credentials and limit access to the management interfaces of firewall and VPN appliances to trusted internal users only, as well as upgrading to the latest fixed version.

ITPro approached Fortinet for comment on the Arctic Wolf and Rapid7 advisories, but received no response by time of publication.

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.