FortiOS/FortiWeb/FortiProxy/FortiSwitchManager FortiCloud SSO auth bypass patch release (CVE-2025-59718, CVE-2025-59719)
Security Patch Release
Summary
Hide ▲
Show ▼
Fortinet patched FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager on December 9 for CVE-2025-59718 and CVE-2025-59719, critical flaws that can bypass FortiCloud SSO authentication through a maliciously crafted SAML message. The company said the vulnerable FortiCloud SSO login feature is not enabled by default on devices that are not FortiCare-registered, and administrators were told to disable FortiCloud SSO login until they can upgrade to a non-vulnerable version. The incident later moved into active exploitation, with attackers abusing the flaws against Fortinet devices that have FortiCloud SSO enabled to gain admin-level access to the web management interface and download system configuration files. Shadowserver said it found over 25,000 Fortinet devices exposed online with FortiCloud SSO enabled, and CISA added the issue to its catalog of actively exploited vulnerabilities with a December 23 patch deadline for U.S. government agencies.
Cases
Related Happenings
FortiBleed multi-vendor brute-force wave
Exploitation Wave
H score75
First: 23.06.2026 21:20
Last: 23.06.2026 21:20
Sources 1
About this happening:
A **multi-vendor brute-force wave** tied to **FortiBleed** is hitting **Fortinet, Synology, Sophos, Citrix, RDWeb, and MS-SQL** targets, expanding the risk from one firewall-focus...
FortiBleed multi-vendor brute-force wave
Exploitation WaveAbout this happening: A **multi-vendor brute-force wave** tied to **FortiBleed** is hitting **Fortinet, Synology, Sophos, Citrix, RDWeb, and MS-SQL** targets, expanding the risk from one firewall-focus...
FortigateSniffer FortiOS packet-sniffer credential-harvesting tool
Malware Activity
H score72
First: 22.06.2026 23:01
Last: 22.06.2026 23:01
Sources 1
About this happening:
**FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...
FortigateSniffer FortiOS packet-sniffer credential-harvesting tool
Malware ActivityAbout this happening: **FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...
Initial access broker (IAB) campaign expands across multiple victims
Campaign
H score89
First: 22.06.2026 23:01
Last: 22.06.2026 23:01
Sources 1
About this happening:
The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...
Initial access broker (IAB) campaign expands across multiple victims
CampaignAbout this happening: The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...
Latest development: 23.06.2026 13:30
On June 15, attackers behind FortiBleed successfully cracked Kerberos hashes and immediately exfiltrated DFS backup data from a NATO-aligned defense contractor, extending the campaign from credential harvesting into direct data theft.
CISA warning on FortiBleed for FortiGate customers
Public Sector Action
H score89
First: 19.06.2026 17:00
Last: 19.06.2026 17:00
Sources 1
About this happening:
**CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...
CISA warning on FortiBleed for FortiGate customers
Public Sector ActionAbout this happening: **CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...
Russian-speaking FortiGate and Microsoft SQL Server bruteforce campaign
Campaign
H score82
First: 17.06.2026 18:12
Last: 17.06.2026 18:12
Sources 1
About this happening:
A Russian-speaking multi-operator threat group ran a **FortiGate** and **Microsoft SQL Server** bruteforce campaign that generated **billions of credential attempts**, raising the...
Russian-speaking FortiGate and Microsoft SQL Server bruteforce campaign
CampaignAbout this happening: A Russian-speaking multi-operator threat group ran a **FortiGate** and **Microsoft SQL Server** bruteforce campaign that generated **billions of credential attempts**, raising the...
Timeline
-
19.12.2025 17:00 1 articles · 6mo ago
Active exploitation of FortiCloud SSO bypass targets Fortinet devices
Exploitation ObservedAttackers are actively exploiting CVE-2025-59718 and CVE-2025-59719 against Fortinet devices with FortiCloud SSO enabled, using maliciously crafted SAML messages to gain admin-level access to the web management interface and download system configuration files. Shadowserver counted more than 25,000 exposed Fortinet IPs with FortiCloud SSO fingerprints, and CISA added the flaw to its catalog of actively exploited vulnerabilities with a December 23 patch deadline for U.S. government agencies.
Show sources
- Over 25,000 FortiCloud SSO devices exposed to remote attacks — www.bleepingcomputer.com — 19.12.2025 17:00
-
09.12.2025 20:36 2 articles · 7mo ago
Fortinet releases fixes for FortiCloud SSO bypass flaws
Initial DisclosureFortinet released security updates for FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager to fix CVE-2025-59718 and CVE-2025-59719, critical vulnerabilities that could let attackers bypass FortiCloud SSO authentication by sending a maliciously crafted SAML message. Fortinet said the FortiCloud SSO login feature is not enabled in default factory settings on non-FortiCare-registered devices, and advised administrators to disable FortiCloud SSO login until they can upgrade to a non-vulnerable version.
Show sources
- Fortinet warns of critical FortiCloud SSO login auth bypass flaws — www.bleepingcomputer.com — 09.12.2025 20:36
- Fortinet warns of critical FortiCloud SSO login auth bypass flaws — www.bleepingcomputer.com — 09.12.2025 20:36