Exploitation Wave
Security Patch Release
FortiGate FortiCloud SSO bypass exploitation
Updated 19.12.2025 17:00
Case score 62
Score breakdown
- Total
- 62
- Lead score
- 62
- Support bonus
- +0 / 20
- Scoring support
- 0
- Context members
- 1
Top contributors
- Exploitation Wave Active exploitation of FortiGate appliances with confirmed malicious SSO logins and post-login configuration export. base
- Security Patch Release Fortinet's December fixes and mitigation guidance for the same CVEs support the response narrative. context
Case score 62
Members 2
Latest activity 19.12.2025 17:00
Active exploitation
Patch available
CVSS: 9.8 Critical
Members 2
First seen 09.12.2025 20:36
Last seen 16.12.2025 12:58
Updated 19.12.2025 17:00
Overview
**FortiGate** appliances are under active exploitation through **CVE-2025-59718** and **CVE-2025-59719**, which bypass **FortiCloud SSO** on devices that have the feature enabled. Arctic Wolf observed malicious **admin** logins and follow-on configuration exports, showing that the flaws are being used for real access rather than only disclosure testing.
Fortinet has patched **FortiOS**, **FortiWeb**, **FortiProxy**, and **FortiSwitchManager** and told administrators to disable **FortiCloud SSO** until systems are upgraded. **CISA** added the issues to its actively exploited catalog with a **December 23** deadline for U.S. government agencies, while available evidence does not quantify how many exposed devices have been secured.
Attackers are exploiting **FortiGate** appliances through **CVE-2025-59718** and **CVE-2025-59719** after Fortinet disclosed fixes for the authentication-bypass flaws. The abuse uses crafted **SAML** messages against **FortiCloud SSO** when it is enabled, and malicious logins have been seen on the **admin** account. Observed source IPs were associated with hosting providers including **The Constant Company llc**, **Bl Networks**, and **Kaopu Cloud Hk Limited**. After access is gained, the attackers export device configuration through the web interface, which can expose credentials, network details, and firewall policy data.
Fortinet released updates for **FortiOS**, **FortiWeb**, **FortiProxy**, and **FortiSwitchManager** and advised administrators to disable **FortiCloud SSO** until systems are upgraded. The same flaws were added to **CISA**'s actively exploited list, with a **December 23** deadline for U.S. government agencies under **BOD 22-01**. Shadowserver reported more than **25,000** exposed Fortinet devices with a FortiCloud SSO fingerprint, including over **5,400** in the United States and nearly **2,000** in India, but available evidence does not show how many of those devices have been secured.
Signals
7 derivedExploitation
CVSS
9.8 Critical
Exploitation
Active exploitation
CVEs/products
CVE
CVE
Victims/regions
Sector
government
Remediation
Urgency
High
Remediation
Patch available
Malware context
1 familiesMember happenings
2 related
Exploitation Wave
FortiGate FortiCloud SSO authentication bypass active exploitation wave
Exploitation
Active Exploitation
CVSS
9.8 Critical
Patch
Patch Available
Exploitation Wave
FortiGate FortiCloud SSO authentication bypass active exploitation wave
Exploitation
Active Exploitation
CVSS
9.8 Critical
Patch
Patch Available
Security Patch Release
FortiOS/FortiWeb/FortiProxy/FortiSwitchManager FortiCloud SSO auth bypass patch release (CVE-2025-59718, CVE-2025-59719)
CVSS
9.8 Critical
Urgency
High
Patch
Patch Available
Security Patch Release
FortiOS/FortiWeb/FortiProxy/FortiSwitchManager FortiCloud SSO auth bypass patch release (CVE-2025-59718, CVE-2025-59719)
CVSS
9.8 Critical
Urgency
High
Patch
Patch Available