Exploitation Wave
Security Patch Release
FortiGate FortiCloud SSO bypass exploitation
Updated 19.12.2025 17:00
Case score 62
Score breakdown
- Total
- 62
- Lead score
- 62
- Support bonus
- +0 / 20
- Scoring support
- 0
- Context members
- 1
Top contributors
- Exploitation Wave Active exploitation of FortiGate appliances with confirmed malicious SSO logins and post-login configuration export. base
- Security Patch Release Fortinet's December fixes and mitigation guidance for the same CVEs support the response narrative. context
Case score 62
Members 2
Latest activity 19.12.2025 17:00
Active exploitation
Patch available
CVSS: 9.8 Critical
Active exploitation
Patch available
CVSS: 9.8 Critical
Members 2
First seen 09.12.2025 20:36
Last seen 16.12.2025 12:58
Updated 19.12.2025 17:00
Overview
**FortiGate** appliances are under active exploitation through **CVE-2025-59718** and **CVE-2025-59719**, which bypass **FortiCloud SSO** on devices that have the feature enabled. Arctic Wolf observed malicious **admin** logins and follow-on configuration exports, showing that the flaws are being used for real access rather than only disclosure testing.
Fortinet has patched **FortiOS**, **FortiWeb**, **FortiProxy**, and **FortiSwitchManager** and told administrators to disable **FortiCloud SSO** until systems are upgraded. **CISA** added the issues to its actively exploited catalog with a **December 23** deadline for U.S. government agencies, while available evidence does not quantify how many exposed devices have been secured.
Attackers are exploiting **FortiGate** appliances through **CVE-2025-59718** and **CVE-2025-59719** after Fortinet disclosed fixes for the authentication-bypass flaws. The abuse uses crafted **SAML** messages against **FortiCloud SSO** when it is enabled, and malicious logins have been seen on the **admin** account. Observed source IPs were associated with hosting providers including **The Constant Company llc**, **Bl Networks**, and **Kaopu Cloud Hk Limited**. After access is gained, the attackers export device configuration through the web interface, which can expose credentials, network details, and firewall policy data.
Fortinet released updates for **FortiOS**, **FortiWeb**, **FortiProxy**, and **FortiSwitchManager** and advised administrators to disable **FortiCloud SSO** until systems are upgraded. The same flaws were added to **CISA**'s actively exploited list, with a **December 23** deadline for U.S. government agencies under **BOD 22-01**. Shadowserver reported more than **25,000** exposed Fortinet devices with a FortiCloud SSO fingerprint, including over **5,400** in the United States and nearly **2,000** in India, but available evidence does not show how many of those devices have been secured.