Find notable cyber news and cases, enriched with sources, timelines, and signals.

FortiGate FortiCloud SSO authentication bypass active exploitation wave

Exploitation Wave
First reported
Last updated
Happening score
H score 56
2 unique sources, 2 articles

Summary

Hide ▲

FortiGate appliances are in an active exploitation wave after attackers began abusing CVE-2025-59718 and CVE-2025-59719 less than a week after disclosure. Arctic Wolf observed malicious SSO logins on December 12, 2025, and the activity quickly escalated to device configuration exports. The live abuse matters because successful authentication bypass can expose administrative access and sensitive firewall settings.

Cases

Related Happenings

FortiBleed multi-vendor brute-force wave

Exploitation Wave
H score75 First: 23.06.2026 21:20 Last: 23.06.2026 21:20 Sources 1

About this happening: A **multi-vendor brute-force wave** tied to **FortiBleed** is hitting **Fortinet, Synology, Sophos, Citrix, RDWeb, and MS-SQL** targets, expanding the risk from one firewall-focus...

FortigateSniffer FortiOS packet-sniffer credential-harvesting tool

Malware Activity
H score72 First: 22.06.2026 23:01 Last: 22.06.2026 23:01 Sources 1

About this happening: **FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...

Initial access broker (IAB) campaign expands across multiple victims

Campaign
H score89 First: 22.06.2026 23:01 Last: 22.06.2026 23:01 Sources 1

About this happening: The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...

Latest development: 23.06.2026 13:30

On June 15, attackers behind FortiBleed successfully cracked Kerberos hashes and immediately exfiltrated DFS backup data from a NATO-aligned defense contractor, extending the campaign from credential harvesting into direct data theft.

CISA warning on FortiBleed for FortiGate customers

Public Sector Action
H score89 First: 19.06.2026 17:00 Last: 19.06.2026 17:00 Sources 1

About this happening: **CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...

Russian-speaking FortiGate and Microsoft SQL Server bruteforce campaign

Campaign
H score82 First: 17.06.2026 18:12 Last: 17.06.2026 18:12 Sources 1

About this happening: A Russian-speaking multi-operator threat group ran a **FortiGate** and **Microsoft SQL Server** bruteforce campaign that generated **billions of credential attempts**, raising the...

Timeline

  1. 16.12.2025 12:58 2 articles · 6mo ago

    Malicious SSO logins and configuration exports on FortiGate appliances

    Exploitation Observed

    Malicious SSO logins against FortiGate appliances on December 12, 2025 used IP addresses associated with The Constant Company llc, Bl Networks, and Kaopu Cloud Hk Limited to target the admin account, and follow-on activity exported device configurations through the GUI, consistent with active exploitation of CVE-2025-59718 and CVE-2025-59719 on devices with FortiCloud SSO enabled.

    Show sources
  2. 16.12.2025 12:58 1 articles · 6mo ago

    FortiGate authentication bypass and mitigation guidance disclosed

    Initial Disclosure

    Arctic Wolf warned that FortiGate devices with FortiCloud SSO enabled can be bypassed through crafted SAML messages, identified CVE-2025-59718 and CVE-2025-59719 as critical authentication bypasses with CVSS scores of 9.8, and advised organizations to apply Fortinet's patches for FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, disable FortiCloud SSO until updated, and restrict management interface access to trusted internal users.

    Show sources