Find notable cyber news and cases, enriched with sources, timelines, and signals.

FortiOS/FortiWeb/FortiProxy/FortiSwitchManager FortiCloud SSO auth bypass patch release (CVE-2025-59718, CVE-2025-59719)

Security Patch Release
First reported
Last updated
Happening score
H score 56
1 unique sources, 2 articles

Summary

Hide ▲

Fortinet patched FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager on December 9 for CVE-2025-59718 and CVE-2025-59719, critical flaws that can bypass FortiCloud SSO authentication through a maliciously crafted SAML message. The company said the vulnerable FortiCloud SSO login feature is not enabled by default on devices that are not FortiCare-registered, and administrators were told to disable FortiCloud SSO login until they can upgrade to a non-vulnerable version. The incident later moved into active exploitation, with attackers abusing the flaws against Fortinet devices that have FortiCloud SSO enabled to gain admin-level access to the web management interface and download system configuration files. Shadowserver said it found over 25,000 Fortinet devices exposed online with FortiCloud SSO enabled, and CISA added the issue to its catalog of actively exploited vulnerabilities with a December 23 patch deadline for U.S. government agencies.

Cases

Related Happenings

FortiBleed multi-vendor brute-force wave

Exploitation Wave
H score75 First: 23.06.2026 21:20 Last: 23.06.2026 21:20 Sources 1

About this happening: A **multi-vendor brute-force wave** tied to **FortiBleed** is hitting **Fortinet, Synology, Sophos, Citrix, RDWeb, and MS-SQL** targets, expanding the risk from one firewall-focus...

FortigateSniffer FortiOS packet-sniffer credential-harvesting tool

Malware Activity
H score72 First: 22.06.2026 23:01 Last: 22.06.2026 23:01 Sources 1

About this happening: **FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...

Initial access broker (IAB) campaign expands across multiple victims

Campaign
H score89 First: 22.06.2026 23:01 Last: 22.06.2026 23:01 Sources 1

About this happening: The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...

Latest development: 23.06.2026 13:30

On June 15, attackers behind FortiBleed successfully cracked Kerberos hashes and immediately exfiltrated DFS backup data from a NATO-aligned defense contractor, extending the campaign from credential harvesting into direct data theft.

CISA warning on FortiBleed for FortiGate customers

Public Sector Action
H score89 First: 19.06.2026 17:00 Last: 19.06.2026 17:00 Sources 1

About this happening: **CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...

Russian-speaking FortiGate and Microsoft SQL Server bruteforce campaign

Campaign
H score82 First: 17.06.2026 18:12 Last: 17.06.2026 18:12 Sources 1

About this happening: A Russian-speaking multi-operator threat group ran a **FortiGate** and **Microsoft SQL Server** bruteforce campaign that generated **billions of credential attempts**, raising the...

Timeline

  1. 19.12.2025 17:00 1 articles · 6mo ago

    Active exploitation of FortiCloud SSO bypass targets Fortinet devices

    Exploitation Observed

    Attackers are actively exploiting CVE-2025-59718 and CVE-2025-59719 against Fortinet devices with FortiCloud SSO enabled, using maliciously crafted SAML messages to gain admin-level access to the web management interface and download system configuration files. Shadowserver counted more than 25,000 exposed Fortinet IPs with FortiCloud SSO fingerprints, and CISA added the flaw to its catalog of actively exploited vulnerabilities with a December 23 patch deadline for U.S. government agencies.

    Show sources
  2. 09.12.2025 20:36 2 articles · 7mo ago

    Fortinet releases fixes for FortiCloud SSO bypass flaws

    Initial Disclosure

    Fortinet released security updates for FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager to fix CVE-2025-59718 and CVE-2025-59719, critical vulnerabilities that could let attackers bypass FortiCloud SSO authentication by sending a maliciously crafted SAML message. Fortinet said the FortiCloud SSO login feature is not enabled in default factory settings on non-FortiCare-registered devices, and advised administrators to disable FortiCloud SSO login until they can upgrade to a non-vulnerable version.

    Show sources