Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

FortiGate FortiCloud SSO authentication bypass active exploitation wave

Exploitation Wave
First reported
Last updated
Happening score
H score 62
2 unique sources, 2 articles

Summary

Hide ▲

FortiGate appliances are in an active exploitation wave after attackers began abusing CVE-2025-59718 and CVE-2025-59719 less than a week after disclosure. Arctic Wolf observed malicious SSO logins on December 12, 2025, and the activity quickly escalated to device configuration exports. The live abuse matters because successful authentication bypass can expose administrative access and sensitive firewall settings.

Cases

FortiGate FortiCloud SSO bypass exploitation (2)

Related Happenings

Fortinet security patch release for CVE-2026-44277

Security Patch Release
First: 12.05.2026 21:23 Last: 12.05.2026 21:23 Sources 1

About this happening: Fortinet released **security updates** for **FortiSandbox** and **FortiAuthenticator** to fix **two critical vulnerabilities** that could let an **unauthenticated attacker** execu...

Open Happening

FortiGate NGFW abuse campaign targeting healthcare, government, and managed service providers

Campaign
First: 10.03.2026 18:21 Last: 10.03.2026 18:21 Sources 1

About this happening: A **new FortiGate abuse campaign** is using **FortiGate NGFW appliances** as entry points to breach victim networks, creating immediate risk for **healthcare**, **government**, an...

Open Happening

FortiGate exposed management interface exploitation wave

Exploitation Wave
First: 21.02.2026 16:49 Last: 21.02.2026 16:49 Sources 1

About this happening: **FortiGate** management interfaces were hit by an **automated exploitation wave** that abused **internet-exposed ports** and **commonly reused credentials** to compromise **600+...

Open Happening

Russian-speaking hacker AI-assisted FortiGate breach campaign

Campaign
First: 21.02.2026 15:50 Last: 21.02.2026 15:50 Sources 1

About this happening: The **Russian-speaking** threat actor ran an **AI-assisted FortiGate breach campaign** from **January 11 to February 18, 2026**, compromising **over 600 FortiGate devices** across...

Open Happening

BeyondTrust Remote Support and Privileged Remote Access CVE-2026-1731 active exploitation wave

Exploitation Wave
First: 12.02.2026 23:34 Last: 12.02.2026 23:34 Sources 1

About this happening: **CVE-2026-1731** in **BeyondTrust Remote Support** and **Privileged Remote Access** is now seeing **first in-the-wild exploitation**, putting exposed appliances at risk of remote...

Open Happening

Timeline

  1. 16.12.2025 12:58 2 articles · 5mo ago

    Malicious SSO logins and configuration exports on FortiGate appliances

    Exploitation Observed

    Malicious SSO logins against FortiGate appliances on December 12, 2025 used IP addresses associated with The Constant Company llc, Bl Networks, and Kaopu Cloud Hk Limited to target the admin account, and follow-on activity exported device configurations through the GUI, consistent with active exploitation of CVE-2025-59718 and CVE-2025-59719 on devices with FortiCloud SSO enabled.

    Show sources
    Open in new tab
  2. 16.12.2025 12:58 1 articles · 5mo ago

    FortiGate authentication bypass and mitigation guidance disclosed

    Initial Disclosure

    Arctic Wolf warned that FortiGate devices with FortiCloud SSO enabled can be bypassed through crafted SAML messages, identified CVE-2025-59718 and CVE-2025-59719 as critical authentication bypasses with CVSS scores of 9.8, and advised organizations to apply Fortinet's patches for FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, disable FortiCloud SSO until updated, and restrict management interface access to trusted internal users.

    Show sources
    Open in new tab