Find notable cyber news and cases, enriched with sources, timelines, and signals.

FortiOS authentication bypass (CVE-2025-59718, active exploitation)

Vulnerability
First reported
Last updated
Happening score
H score 71
2 unique sources, 5 articles

Summary

Hide ▲

FortiOS is affected by CVE-2025-59718, an authentication bypass tied to FortiCloud SSO on FortiOS, FortiProxy, FortiSwitchManager, with related patching also covering CVE-2025-59719 in FortiWeb. Arctic Wolf and Shadowserver reported active exploitation and found over 25,000 Fortinet devices exposed online with FortiCloud SSO enabled, including large concentrations in the United States and India. The abuse uses a maliciously crafted SAML message to reach admin-level access on the web management interface and download sensitive configuration files. CISA has added the flaw to its actively exploited catalog, and Fortinet said the vulnerable FortiCloud SSO login feature is only enabled after admins register the device with FortiCare.

Related Happenings

FortiBleed multi-vendor brute-force wave

Exploitation Wave
H score75 First: 23.06.2026 21:20 Last: 23.06.2026 21:20 Sources 1

About this happening: A **multi-vendor brute-force wave** tied to **FortiBleed** is hitting **Fortinet, Synology, Sophos, Citrix, RDWeb, and MS-SQL** targets, expanding the risk from one firewall-focus...

FortigateSniffer FortiOS packet-sniffer credential-harvesting tool

Malware Activity
H score72 First: 22.06.2026 23:01 Last: 22.06.2026 23:01 Sources 1

About this happening: **FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...

Initial access broker (IAB) campaign expands across multiple victims

Campaign
H score89 First: 22.06.2026 23:01 Last: 22.06.2026 23:01 Sources 1

About this happening: The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...

Latest development: 23.06.2026 13:30

On June 15, attackers behind FortiBleed successfully cracked Kerberos hashes and immediately exfiltrated DFS backup data from a NATO-aligned defense contractor, extending the campaign from credential harvesting into direct data theft.

CISA warning on FortiBleed for FortiGate customers

Public Sector Action
H score89 First: 19.06.2026 17:00 Last: 19.06.2026 17:00 Sources 1

About this happening: **CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...

FortiBleed Fortinet credential-theft campaign

Campaign
H score89 First: 19.06.2026 13:48 Last: 19.06.2026 13:48 Sources 1

About this happening: The **FortiBleed** Happening is a global **Fortinet credential-theft** campaign affecting **FortiGate firewall** and **SSL VPN** customers. The **UK’s NCSC** issued guidance after...

Latest development: 22.06.2026 11:30

The UK’s National Cyber Security Centre issued guidance for Fortinet customers impacted by FortiBleed after the campaign exposed around 75,000 credentials from FortiGate firewall and SSL VPN customers. The NCSC urged affected organizations to use Hudson Rock’s or SOCRadar’s FortiBleed checker tools and then review indicators of compromise such as unauthorized account creation and unexpected activity in log files.

Timeline

  1. 10.03.2026 18:21 1 articles · 4mo ago

    FortiGate exploitation campaign steals credentials and deploys remote access tools

    Campaign Scope Update

    Threat actors abused FortiGate Next-Generation Firewall appliances as entry points to steal configuration files and service account credentials from healthcare, government, and managed service provider environments, using known vulnerabilities such as CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858 or weak credentials; in one intrusion they created a local administrator account named support, in another they deployed Pulseway and MeshAgent, and another case involved exfiltrating NTDS.dit and the SYSTEM registry hive to 172.67.196[.]232 over port 443.

    Show sources
  2. 21.01.2026 19:49 4 articles · 5mo ago

    FortiOS CVE-2025-59718 compromise reports on FortiGate systems

    Initial Disclosure

    FortiGate administrators reported that systems running FortiOS 7.4.9 and 7.4.10 were still being compromised through CVE-2025-59718, with a malicious SSO login creating a local admin account on an affected FortiGate and a SIEM flagging the unauthorized user creation. Fortinet was also said to be preparing FortiOS 7.4.11, 7.6.6, and 8.0.0 to fully close the authentication bypass, while prior December 2025 exploitation via maliciously crafted SAML messages provided additional context for the active abuse.

    Show sources