Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

FortiOS authentication bypass (CVE-2025-59718, active exploitation)

Vulnerability
First reported
Last updated
Happening score
H score 65
2 unique sources, 5 articles

Summary

Hide ▲

FortiOS is affected by CVE-2025-59718, an authentication bypass tied to FortiCloud SSO on FortiOS, FortiProxy, FortiSwitchManager, with related patching also covering CVE-2025-59719 in FortiWeb. Arctic Wolf and Shadowserver reported active exploitation and found over 25,000 Fortinet devices exposed online with FortiCloud SSO enabled, including large concentrations in the United States and India. The abuse uses a maliciously crafted SAML message to reach admin-level access on the web management interface and download sensitive configuration files. CISA has added the flaw to its actively exploited catalog, and Fortinet said the vulnerable FortiCloud SSO login feature is only enabled after admins register the device with FortiCare.

Related Happenings

Fortinet FortiClient EMS SQL injection actively exploited SQL injection flaw (CVE-2026-21643)

Vulnerability
First: 30.03.2026 10:48 Last: 30.03.2026 10:48 Sources 1

About this happening: Active exploitation of **CVE-2026-21643** is putting **Fortinet FortiClient EMS** deployments at risk of **unauthenticated arbitrary code or command execution** on unpatched syste...

Open Happening

CISA KEV listing for Wing FTP CVE-2025-47813

Public Sector Action
First: 17.03.2026 07:23 Last: 17.03.2026 07:23 Sources 1

About this happening: CISA added **CVE-2025-47813** in **Wing FTP Server** to the **KEV catalog** after evidence of **active exploitation**, putting the flaw under formal government tracking. The listi...

Open Happening

FortiGate NGFW abuse campaign targeting healthcare, government, and managed service providers

Campaign
First: 10.03.2026 18:21 Last: 10.03.2026 18:21 Sources 1

How related: Cybersecurity researchers are calling attention to a new campaign where threat actors are abusing FortiGate Next-Generation Firewall (NGFW) appliances as entry points to breach victim networks.

About this happening: A **new FortiGate abuse campaign** is using **FortiGate NGFW appliances** as entry points to breach victim networks, creating immediate risk for **healthcare**, **government**, an...

Open Happening

CyberStrikeAI observed on attacker infrastructure supporting FortiGate attack automation

Security Tool/Service
First: 03.03.2026 02:06 Last: 03.03.2026 02:06 Sources 1

About this happening: **CyberStrikeAI** was observed on **attacker infrastructure** supporting a live **Fortinet FortiGate** attack campaign, showing the platform can be repurposed for offensive automa...

Open Happening

Fortinet FortiGate CyberStrikeAI-assisted hacking campaign

Campaign
First: 03.03.2026 02:06 Last: 03.03.2026 02:06 Sources 1

About this happening: An **AI-assisted campaign** targeting **Fortinet FortiGate firewalls** has been tied to **CyberStrikeAI** infrastructure, suggesting automated tooling is helping scale attacks aga...

Open Happening

Timeline

  1. 10.03.2026 18:21 1 articles · 2mo ago

    FortiGate exploitation campaign steals credentials and deploys remote access tools

    Campaign Scope Update

    Threat actors abused FortiGate Next-Generation Firewall appliances as entry points to steal configuration files and service account credentials from healthcare, government, and managed service provider environments, using known vulnerabilities such as CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858 or weak credentials; in one intrusion they created a local administrator account named support, in another they deployed Pulseway and MeshAgent, and another case involved exfiltrating NTDS.dit and the SYSTEM registry hive to 172.67.196[.]232 over port 443.

    Show sources
    Open in new tab
  2. 21.01.2026 19:49 4 articles · 4mo ago

    FortiOS CVE-2025-59718 compromise reports on FortiGate systems

    Initial Disclosure

    FortiGate administrators reported that systems running FortiOS 7.4.9 and 7.4.10 were still being compromised through CVE-2025-59718, with a malicious SSO login creating a local admin account on an affected FortiGate and a SIEM flagging the unauthorized user creation. Fortinet was also said to be preparing FortiOS 7.4.11, 7.6.6, and 8.0.0 to fully close the authentication bypass, while prior December 2025 exploitation via maliciously crafted SAML messages provided additional context for the active abuse.

    Show sources
    Open in new tab